If your bank or credit union is still asking traditional challenge questions for its online or mobile log-in (e.g., “What is your mother’s maiden name?”), you are becoming increasingly vulnerable to fraudulent activity. The reason? Thousands (millions?) of social media enthusiasts are sharing their personal lives with online friends, followers and, unknowingly, technically sophisticated fraudsters.
“Social media has had an enormous impact on identity authentication,” said Jodi Florence, vice president of marketing at IDology, which provides identify verification solutions. “It is easier than ever to find out personal information about someone through social networking sites. Couple this with the fact that most consumers have a hard time remembering the answers to their shared secrets and so will end up using factual information.”
Federal Financial Institutions Examination Council guidelines released this past summer addressed the growing threat from social-media sharing by advising financial institutions to move beyond so-called traditional challenge questions to knowledge-based authentication or out-of-wallet questions for online/mobile identity authentication. These questions deal with facts only the customer would know (e.g., “What was the color of your first car?” or “What is your monthly car payment?”). The guidelines further recommend customers be required to answer more than one question, and a red-herring question be added “designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical.”
Fortunately, a growing number of banks and credit unions are transitioning to more robust authentication solutions. This is critical because fraudsters do not discriminate by bank size or location. As a result, financial institutions not only need multifactor authentication in place, but they also must know when an account may be under attack, such as logging in from a new device and forgetting a password; contacting a call center to change a password; or initiating a change of address or account information.
Florence recommends three steps to help prevent fraudulent activity:
With software-as-a-service technology, these steps can be implemented using next-generation identity verification solutions without the purchase of additional hardware or software. For example, a bank or credit union can integrate the SaaS-based ExpectID verification solution from IDology into its website or online platform through the company’s application programming interface, deploy the solution in its call center using IDology’s real-time Web portal and even deliver questions to a mobile device.
“The biggest challenge FIs face today, and most likely will continue to face in the future,” said Florence, “is their ability to change at the same pace as fraud.” Keeping pace is not easy, however. A recent report by Javelin Strategy and Research, for example, indicates that KBA authentication is losing favor among consumers. “Our research shows that almost two-thirds of consumers are interested in using biometric authentication,” said James Van Dyke, president of Javelin. Although biometrics can be used to strengthen the process, Florence points out that using out-of-wallet questions is still needed to determine a person’s identity.
The best advice is to remain vigilant in offering a secure online/mobile authentication solution, and to educate customers about the effectiveness of the solution in protecting their accounts. The result, Van Dyke and Florence emphasize, will be improved customer retention and increased usage of more cost-effective remote banking channels.
Michael Scheibach is executive editor of BankNews.
Copyright (c) January 2012 by BankNews Media