The Case for Knowledge-Based Authentication
Is there still a place for knowledge-based authentication — i.e., asking questions like "What was the name of your first pet?" to prove an identity? Some in the industry say yes.
Knowledge-based authentication methods have been criticized a great deal lately, for much of the "knowledge" they ask for is publicly available on social media and other websites, or available for sale on the black market, or can be dragged out of call center staff and even interactive voice response systems. In some cases, criminals can answer the questions more quickly and accurately than the accountholders and then break into customers' accounts.
But the effectiveness of this method may depend on the questions asked.
With tighter security in the online and mobile channels, fraudsters are turning their attention to vulnerable contact centers, conning eager-to-please phone service reps into coughing up customer information or letting them reset passwords on other peoples accounts.
Gary McAlum, USAA's top security executive, discusses what he sees as a false choice between security and convenience, his company's progress in getting users to adopt biometric authentication, and the need for a holistic approach to security.
Security veterans Frank Abagnale and Ori Eisen have teamed up on a heavy-duty authentication service with no pretensions of being easy to use. Their venture, Trusona, just raised $8 million.
"We've done a lot of fine-tuning of our knowledge-based authentication, picking the questions, picking what order, picking the ones customers tend to get right and criminals tend to get wrong," said David Pollino, deputy chief security officer for Bank of the West.
The bank conducts failure analysis to understand which questions are letting customers in and blocking criminals, and vice versa, and adjusts accordingly.
"You can boost ones the criminals have a hard time with but customers have an easy time with," Pollino said. "That's going to vary by different demographics and populations, but [with] a little bit of study of the questions, you can see which ones might be able to be researched on social media or online and which ones might be more difficult to come up with."
A good place to start is a shared piece of knowledge that only the bank and its customer knows.
"Knowledge-based authentication based on internal records that hopefully the criminals haven't stolen yet is a good option," said Avivah Litan, a vice president at the research firm Gartner.
A bank might ask the customer for the date of her next mortgage payment. A credit card issuer might ask the size of her credit line or the size of the typical payment she makes on her card.
"These are things that are harder for the criminal to get at," Litan said.
Unfortunately, skilled fraudsters can socially engineer such information out of the call center rep.
"This was certainly a problem in the early days. The crook would just phone back multiple times until he got the right answers," said Richard Parry, principal of Parry Advisors. "Bad training in the call centers was another problem."
Cybercriminals don't even have to game the call center. If they know that one of the knowledge-based questions is "What was your last transaction?" they'll make a $5 deposit in the account right before calling so they know the answer.
"Social engineering is complex and sophisticated and they're very good at it," Parry observed.
Banks could also ratchet up the level of difficulty by asking questions about a completely different product line than the one being accessed. A cybercriminal is unlikely to know that a customer has a mortgage and a credit card at a particular bank, for instance.
"If the customer is being authenticated for online banking and the customer also happens to have a credit card account and the bank also happens to have sufficiently sophisticated infrastructure to interrogate transactions on the credit card account to use in another vertical line of business, you could indeed do something like that," Parry said. "My bank could ask, What's the destination of the last plane ticket you put on XYZ card?"
This is hard for some banks to do — siloed lines of business don't always have access to one another's data, for one thing.
An emerging best practice, Litan noted, is to take a risk-based approach to authentication — to go from easy methods to tougher ones depending on the risk of the transaction.
"I wouldn't rely on knowledge-based authentication for a $10 million wire transfer," she said. "I might not even rely on it for changes to profile information."
Litan and others acknowledge that knowledge-based authentication is imperfect.
"Nothing's going to be bulletproof," Litan said. "If you can do knowledge-based authentication right, based on questions criminals have a hard time getting, it's a good, practical option. Just don't expect 100% coverage."
The ultimate answer, Parry suggested, will come in the use of biometrics.
Financial institutions like USAA and U.S. Bank have been deploying facial, thumbprint and voice recognition. Until banks get to 100% adoption of biometric options, however, their fallback is the basic user name and password, which is weaker than knowledge-based authentication.
"I think biometrics is where we're going to end up," Parry said. "The journey towards that will be difficult during transition."
Meanwhile, banks like Bank of the West are taking a layered security approach — using knowledge-based authentication alongside other methods. "The reason we do that is because it gives us the opportunity to fine-tune the controls individually," Pollino said.
Flexibility, it seems, is the key — always watching for cybercriminals' next move and adjusting accordingly.
Editor at Large Penny Crosman welcomes feedback at email@example.com.