Challenge questions, the prompts that many banks and other companies use to authenticate customers' identity online, are themselves giving rise to a new generation of customer service challenge.
The questions, the classic example of which is the request for a mother's maiden name, have evolved over time, in part because widespread use has diluted the security value of the most common ones.
Many banks now use software that routinely asks such questions online, and in the process they are learning that there often is a fine line between questions that screen effectively and those likely to inconvenience legitimate customers. An example of the latter might rely on a piece of information with a short shelf life.
Part two of the challenge: dealing with the frustrated customer who finds online access to an account blocked when unable to answer the security query.
Sam Tuohey, the chief technology officer and the vice president for technology and e-commerce for Stanford Federal Credit Union of Palo Alto, Calif., said its systems sometimes ask people for the last four digits of their home or cell phone number, and some customers were concerned they would be barred from their accounts because their phone numbers have changed.
Stanford Federal uses authentication software that RSA Security Inc. acquired when it purchased PassMark Security Inc. of Menlo Park., Calif., in April. The software evaluates customers' computers when they log in, to verify that they are using a recognized system. If they are not, they must authenticate themselves by answering challenge questions.
When people cannot answer the questions, their first response is usually to call the credit union, but customer service representatives initially could not help, because the software did not let them update the answers on file, Mr. Tuohey said. Eventually, Stanford Federal asked PassMark to change its software to enable the customer service staff to do so.
Amir Orad, the vice president of marketing with RSA's consumer solutions division (which includes the PassMark product), said that the Bedford, Mass., vendor works with financial companies to develop questions that customers can use, and that great care must go into the process.
One rule RSA developed over time is to avoid questions for which the answer may change. Questions whose answers might seem set in stone sometimes are not.
For example, asking the name of a "childhood sweetheart" is not a good idea, Mr. Orad said. "Some customers will change their mind in a few months."
Mr. Tuohey said that in many cases, the problem is that the answer can change over time - as his boss learned the hard way.
John R. Davis, Stanford Federal's chief executive, was once trying to log in to an account he shared with his wife. Mr. Davis "knew her password, but he didn't know her challenge phrase," Mr. Tuohey recalled. "The question was 'What is your favorite movie?' and he thought it was 'Casablanca.' It turned out he was dead wrong," and he was unable to log in to the account. "It was 'Breaking Away.' "
Though Mr. Davis knew his wife was a longtime fan of the Humphrey Bogart film, she had seen the bicycle-racing one not long before she was asked to provide a challenge question for the credit union's authentication software, and "Breaking Away" had replaced "Casablanca," temporarily, as her favorite movie.
She has since changed her answer on the credit union's systems, Mr. Tuohey said.
Stanford Federal also encourages customers to select answers that do not match the questions, he said. "For, instance you can pick 'What are the last four digits of my cell phone number?' " as the question but "type your father's first name" as the answer.
Doing so could improve security but would also make it more likely that the customer would forget the answer, Mr. Tuohey said.
About 25,000 Stanford members have used its online banking site in the past month, and have logged in 200,000 times. In about 280 cases, the user had to answer a question, and 40 to 50 times the question was answered incorrectly.
Customers have three chances to answer a question, and Mr. Tuohey said he could not say whether these people could not access their accounts because of an incorrect answer. However, he did say the credit union has received few complaints from people who could not answer their question.
Mr. Orad said that another complication is that many effective questions are off limits, because "some customers don't feel comfortable answering certain challenge questions."
The most secure questions are also the most personal, he said. RSA's software once included a question asking customers for their Social Security number, but today many customers refuse to provide this, fearing identity theft.
Another issue is that "you don't want to ask the same question everyone's asking," Mr. Orad said; asking for a mother's maiden name is now so common it has lost its effectiveness.
Victor Smilgys, assistant vice president of e-commerce at Technology Credit Union of San Jose, said that financial companies should "stay away from questions with answers that may be limited to only a few popular choices." For example, if the system asks for someone's favorite sport, "many people would answer 'baseball' or 'football.'"
Technology Credit Union began using PassMark's software in November, and Mr. Smilgys said that PassMark helped it craft its challenge questions. The version the credit union is using also permits people to change their own questions and answers within an online banking session.
The credit union has programmed the software to recognize some common abbreviations for street names, but not all of them, and it recommends that people avoid all abbreviations.
One feature Mr. Smilgys would like to see is permitting customers to write their own challenge questions; he has discussed the idea with the vendor. "That way, it's unique to them," he said.
RSA owns not only the PassMark product but also those developed by Cyota Inc., a New York company RSA bought in December. Mr. Orad said that today between 0.25% and 0.5% of its authentication products' users cannot answer the challenge question presented to them. The failure rate was 1.1% to 2.3% when the products were introduced.
When RSA bought PassMark, it learned that the timing of the questions can be critical. The PassMark product presents the challenge when people log in, when customers expect to undergo authentication and are more willing to read the instructions carefully, Mr. Orad said.
Cyota's software asks questions when people try to initiate risky transactions - after they have logged in to the Web site. Mr. Orad said people can be impatient and are less focused on authentication once they have moved past that process, and asking challenge questions later in an online banking session can be off-putting.
In those cases, the questions must be as succinct as possible, or people might get them wrong, he said.
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., unit of MasterCard International, said banks should also pay attention to the technology they use to evaluate the answers. A system designed to use "fuzzy logic" is better at interpreting human answers than systems that accept only a single answer.
For example, some questions ask people the name of their high school. "If you went to St. Mary's, how you spell the word 'Saint' could be any one of six different ways," he said.
However, Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that challenge questions may not provide enough security. Simplifying questions is another way of saying "they had to dumb down the questions," and "if they're easy for the customer, they're easy for the fraudster."
Most products that use challenge questions do so only when there is more risk than usual, she said, and those are times "when you need the strongest security, not the weakest."
