Grand pronouncements can define an era, or at least crystallize provocative sentiment. In 1966, a New York Times headline proclaimed, "God is Dead." In the early 90s Bill Gates infamously said, "banks are dinosaurs." Neither of these really panned out, but here's one that might: in June, Tower Group's George Tubin declared banks have "lost the battle" over protecting personally identifiable information (PII), and should assume "clients and prospects no longer have any uncompromised private information."
Tubin's comments came in the same month that researchers at Carnegie Mellon published a paper demonstrating they could use statistical techniques to predict Social Security numbers, and in the same year that Heartland Payment Systems reported it was robbed of data on more than 100 million card users, the largest known breach. "You get to the point where you realize that this just isn't stopping," says Tubin, known for his straight-shooting industry assessments. "We've just failed, and we have to do something different."
The idea of getting rid of SSN's and simple questions for authentication is not new: Gartner fraud specialist Avivah Litan told banks they should stop using SSN's for authentication two years ago; after years of study, the Federal government began advocating the same last year. But recently, Javelin Strategy & Research found that only 56 percent of card issuers prohibit full nine-digit social security numbers in customer-facing interactions. Why? Banks lament such a move would be expensive. Still, these days there are plenty of less expensive but strong authentication technologies that could be layered up to create authentication procedures that stop the vast majority of fraud without using PII data.
Tubin suggests this new authentication paradigm should include deep knowledge-based authentication, like that provided by Experian and RSA, that quizzes clients on obscure out-of-wallet questions. Experian even offers an automated version of KBA that brings the deployment cost down significantly. Also highly touted among analysts and vendors like ClairMail and VeriSign - but barely deployed by banks - is using SMS to send consumers one-time passwords, and allowing them to approve or deny transactions that seem suspicious via two-way SMS. Voice biometrics also show promise, and the Financial Services Technology Consortium is evaluating their usage in the call center. Cross-channel fraud detection offered by RSA, Actimize, and Memento, give visibility into an industry blindspot.
But SSNs remain useful for account identification and location on internal bank systems. One compromise strategy embraces two distinct use cases for the SSN - authentication and account location - and advocates restoring the utility of the SSN by keeping it away from customer-facing uses. "The bottom line is to minimize the use abuse and distribution of (SSNs), but recognize [they are] an important identifier for back office systems that aren't exposed to all these customer service representatives," Litan says.