All posts by Monica Pearson
What is blockchain? Blockchain is beginning to get a lot of attention, so I thought it might be time to figure out what it is and what it means. Basically, a blockchain is a permissionless, distributed database that maintains a growing list of records (transactions) in a linear, chronological (and time-stamped) ledger. At a high level, this is how it works. Each computer connected to the network gets a copy of the entire blockchain and performs the task of validating and relaying transactions for the whole chain. The batches of valid transactions added to the record are called “blocks.” A block is the “current” part of a blockchain that records some or all of the recent transactions and once completed goes into the blockchain as a permanent database. Each time a block gets completed, a new block is created, with every block containing a hash of the previous block. There are countless numbers of blocks in the blockchain. To use a conventional banking analogy, the blocks would be a full history of every banking transaction for every person, and the blockchain would be a complete banking history. The entire blockchain is sent to everyone who has access, and every user validates the information in the block. It’s like if Tom, Bob and Harry were standing on the street corner and saw a cyclist hit by a car. Individually, all three men will be asked if the cyclist was struck by the car, and all three will respond “yes.” The cyclist being hit by the car becomes part of the blockchain, and that fact cannot be altered. Blockchain generally is used in the context of bitcoin, where similar uses of the structure are called altchains. Why should I care or, at the very least, pay attention to this movement? Because the idea of it is inching toward the tipping point of mainstream. I recently read an article that identified some blockchain trends that could shape the industry in coming months. The ones I found most interesting were: Blockchain apps will be released Interest in use cases outside payments will pick up Consortia will prove to be important Venture capital money will flow to blockchain start-ups While it’s true that much of the hype around blockchain is coming from people with a vested interest, it is beginning to generate more generalized market buzz as its proponents emphasize how it can reduce risk, improve efficiency and ultimately provide better customer service. Let’s face it, the ability to maintain secure, fast and accurate calculations could revolutionize the banking and investment industries, as well as ecommerce. In fact, 11 major banks recently completed a private blockchain test, exchanging multiple tokens among offices in North America, Europe and Asia over five days. (You can read The Wall Street Journal article here.) As more transactions and data are stored in blockchain or altchain, greater possibilities open up. It’s these possibilities that have several tech companies, like IBM, as well as financial institutions creating what has become known as an open ledger initiative to use the blockchain model in the development of new technologies that will enable a wider array of services. There is no doubt that the concept is intriguing — so much so that even the SEC has approved a plan to issue stock via blockchain. (You can read the Wired article here.) The potential is enough to make many folks giddy. The idea that risk could become a thing of the past because of the blockchain’s immutable historical record — wow. It’s good to be aware and keep an eye on the open ledger initiative, but let’s not forget history, which has taught us that (in the wise words of Craig Newmark), “Crooks are early adopters.” Since blockchain’s original and primary usage has been with bitcoin, I don’t think it is unfair to say that there will be some perceptions to overcome — like the association of bitcoin to activities on the Dark Web such as money laundering, drug-related transactions and funding illegal activities. Until we start to see the application across mainstream use cases, we won’t know how secure blockchain is or how open business and consumers will be to embracing it. In the meantime, remind me again, how long has it taken to get to a point of practical application and more widespread use of biometrics? To learn more, click here to read the original article.
With the most recent guidance newly issued by the Federal Financial Institutions Examination Council (FFIEC) there is renewed conversation about knowledge based authentication. I think this is a good thing. It brings back into the forefront some of the things we have discussed for a while, like the difference between secret questions and dynamic knowledge based authentication, or the importance of risk based authentication. What does the new FFIEC guidance say about KBA? Acknowledging that many institutions use challenge questions, the FFIEC guidance highlights that the implementation of challenge questions can greatly impact efficacy of its usefulness. Chances are you already know this. Of greater importance, though, is the fact that the FFIEC guidelines caution on the use of less sophisticated systems and information that can be easily guessed or obtained from an Internet search, given the amount of information available. As mentioned above, the FFIEC guidelines call for questions that “do not rely on information that is often publicly available,” recommending instead a broad range of data assets on which to base questions. This is an area knowledge based authentication users should review carefully. At this point in time it is perfectly appropriate to ask, “Does my KBA provider rely on data that is publicly sourced” If you aren’t sure, ask for and review data sources. At a minimum, you want to look for the following in your KBA provider: · Questions! Diverse questions from broad data categories, including credit and noncredit assets · Consumer question performance as one of the elements within an overall risk-based decisioning policy · Robust performance monitoring. Monitor against established key performance indicators and do it often · Create a process to rotate questions and adjust access parameters and velocity limits. Keep fraudsters guessing! · Use the resources that are available to you. Experian has compiled information that you might find helpful: www.experian.com/ffiec Finally, I think the release of the new FFIEC guidelines may have made some people wonder if this is the end of KBA. I think the answer is a resounding “No.” Not only do the FFIEC guidelines support the continued use of knowledge based authentication, recent research suggests that KBA is the authentication tool identified as most effective by consumers. Where I would draw caution is when research doesn’t distinguish between “secret questions” and dynamic knowledge based authentication, which we all know is very different.
It’s that time of year again – when people all over the U.S. take time away from life’s daily chores and embark upon that much-needed refresh: vacation! But just as fraud activity spikes during the holidays, there are also fraud trends suggesting spikes in fraudster activity during the summer. With consumers on vacation, identity theft becomes easier. Consumers are most likely to break their normal spending trends and break patterns established by fraud analytics; and consumers are less likely to be as attentive to elements that can help minimize fraud while out of town. There has been plenty of research to demonstrate that fraudsters perpetrate account takeover by changing the pin, address, or email address of an account. Now, fraudsters are more likely to add themselves as an authorized user to the account, which may not be considered a high-risk flag in transactional decisioning strategies. By identifying risky behaviors or patterns outside of a consumer’s normal behavior and an engaging in a knowledge based authentication session with the consumer, it is possible to help minimize the risk of fraud. Knowledge based authentication provides strong authentication and can be part of a risk-based approach to on-going account management, protecting both businesses and consumers from being burned, at least by fraudsters, while on vacation.
Last week I attended the Merchant Risk Council’s 2011 MRC Annual e-Commerce Payments & Risk Conference. I presented a session titled “Efficiency and Empowerment in Risk-based Authentication” with a client who has been able to use knowledge based authentication as a sales enabler - Home Shopping Network. You might be wondering what I mean by this. It is actually pretty simple: Home Shopping Network already has a fraud prevention program in place and utilizes risk based authentication to send a percentage of orders to an outsort queue. By using knowledge based authentication to further verify the true consumer, Home Shopping Network has been able to release an increased portion of those orders for shipping, increasing both revenue and the customer experience. The paradigm shift was thinking of knowledge based authentication as a sale enabler, rather than just a fraud tool. It was a great experience, to help share the story of this client’s success. If you are interested in the Merchant Risk Council: The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments. They lead industry networking, education, benchmarking and advocacy programs to make electronic commerce more efficient, safe and profitable. For more information on the Home Shopping Network, visit: http://www.hsn.com
Let’s face it – not all knowledge based authentication (KBA) is created equal. I, too, have read horror stories of consumers forced to answer questions about a deceased relative or ex-spouse, or KBA sessions that went on far too long for anyone’s benefit. I have to attribute this to vendor inexperience and a lack of consulting with clients. An experienced vendor will use a fraud best practice such as a fraud analytics model to determine that some consumers do not even need questions and then a “Progressive Question” feature, which uses consumer performance on an initial question set to determine if it is necessary for the consumer to answer additional questions. This way, the true consumer completes the process quickly, improving the customer experience. The product of choice should also use a question mix that balances three factors: · how easily the true consumer can answer the question; · the fraud separation of the question (effectively the measured delta over time between how well true consumers answer the question vs. how well fraudsters do); · how many consumers overall the question can be generated. A list of hundreds of possible questions doesn’t mean much if the questions can only be generated for one quarter of one percent of the population, as is the case for something like airplane ownership or pilot’s license. Ultimately, out of wallet questions should be generated for a large part of the population, easily answered by the true consumer but difficult for a fraudster; and not offensive or what a consumer would consider “creepy” (such as their child’s birthday or name). Well designed questions will be personal but not intrusive and mindful of personal relationships that may have changed. The purpose of a knowledge based authentication session is risk management and/or consumer authentication for fraud prevention and compliance purposes – not to cause the loss of business because the fraud tool crossed the line in the mind of your customer.
Experian Decision Analytics has recorded increased demand from the marketplace for service integrations with interactive voice response (IVR), a phone technology that allows for automated detection of both voice and touch–tones. In the past quarter, there has been a more than 70 percent increase in IVR interest and it continues to grow. Why is there a demand for knowledge based authentication through IVR? Besides consumer acceptance of out of wallet questions, there is a dramatic increase in the need for remote authentication and fraud analytics that are accurate, not a burden to the consumer, cost–effective for organizations and part of an overall risk based authentication approach. Consumers stay connected in a number of ways — phone, online, mobile and short message service (SMS) — and are demanding the means to remain safe without compromising convenience. Knowledge based authentication through IVR provides this safety. Organizations must consider all the tools at their disposal to keep consumer data protected while preserving and promoting a positive customer experience. Given the interactive nature of knowledge based authentication, it is quite adaptable to various customer access channels, such as IVR, and it enables full automation of both inbound and outbound authentication calls. We know from both our own experience and from working with clients that consumers are more connected, more mobile and more networked than ever before - and fraud trends demonstrate this increases risk. As consumers continue to expand online profiles and fraud artists continue to seek out victims, successful fraud prevention will become paramount to financial survival. Leveraging products already in use by combining the technology capitalizes on an existing investment and is good business.
Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg. There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements: Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud. Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs. Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim. Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (https://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions. However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.
Working with clients in the financial sector means keeping an eye toward compliance and regulations like the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). It doesn’t really matter what kind of product it is, if a client is a financial institution (FI) of some kind, one of these three pieces of legislation is probably going to apply. The good part is, these clients know it and typically have staff dedicated to these functions. In my experience, where most clients need help is in understanding which regulations apply or what might be allowed under each. The truth is, a product designed to minimize fraud, like knowledge based authentication, will function the same whether using FCRA regulated or non-FCRA regulated data. The differences will be in the fraud models used with the product, the decisioning strategies set-up, the questions asked and the data sources of those questions. Under GLB it is acceptable to use fraud analytics for detection purposes, as fraud detection is an approved GLB exception. However, under FCRA rules, fraud detection is not a recognized permissible purpose (for accessing a consumer’s data). Instead, written instructions (of the consumer) may be used as the permissible purpose, or another permissible purpose permitted under FCRA; such as legitimate business need due to risk of financial loss. Fraud best practices dictate engaging with clients, and their compliance teams, to ensure the correct product has been selected based on client fraud trends and client needs. A risk based authentication approach, using all available data and appropriately decisioning on that data, whether or not it includes out of wallet questions, provides the most efficient management of risk for clients and best experience for consumers.
There are a number of people within the industry heralding the death of knowledge based authentication. To those people I would say, “In my humble opinion you are as wrong as those recent tweets proclaiming the death of Bill Cosby.” Before anyone’s head spins around, let me explain. When I talk about knowledge based authentication and out of wallet questions, I mean it in the truest sense, a la dynamic questions presented as a pop quiz and not the secret questions you answered when you set-up an account. Dynamic knowledge based authentication presents questions are generated from information known about the consumer, concerning things the true consumer would know and a fraudster wouldn’t. The key to success, and the key to good questions, is the data, which I have said many, many times before. The truth is every tool will let some fraud through; otherwise, you’re keeping too many good customers away. But if knowledge based authentication truly fails, there are two places to look: Data: There are knowledge based authentication providers who rely solely on public record data for their KBA solutions. In my opinion, that data is a higher data risk segment for compromise. Experian’s knowledge based authentication practice is disciplined and includes a mix of data. Our research has shown us that a question set should, ideally, include questions that are proprietary, non-credit, credit and innovative. Yes, it may make sense to include some public record data in a question set, but should it be the basis for the entire question set? Providers who can rely on their own data, or a strategic combination of data sources, rather than purchasing it from one of the large data aggregators are, in my opinion, at an advantage because fraudsters would need to compromise multiple sources in order to “game the system.” Actual KBA use: Knowledge based authentication works best as part of a risk management strategy where risk based authentication is a component within the framework and not the single, determining factor for passing a consumer. Our research has shown that clients who combine fraud analytics and a score with knowledge based authentication can increase authentication performance from 20% - 30% or more, depending on the portfolio and type of fraud (ID Fraud vs. First Party, etc.)… and adding a score has the obvious benefit of increasing fraud detection, but it also allows organizations to prioritize review rates efficiently while protecting the consumer experience. So before we write the obituary of KBA, let’s challenge those who tinker with out of wallet products, building lists of meaningless questions that a 5th grader could answer. Embrace optimized decisions with risk based authentication and employ fraud best practices in your use of KBA.
A few days ago I saw an article about hackers working from Russia, while committing check fraud in the United States. In what those investigating are calling a brilliant operation, the fraudsters compromised companies that archive and store records of check images or checks themselves. They then downloaded those check images and all available information. By printing new checks and using an old Internet “money mule” scheme, the fraudsters were able to send the bogus checks to ”the mule”, often as a payment, and have the check cashed at the mule’s bank to get the balance of the funds wired to an off-shore bank account. That article made me think about new breakthroughs in technology. What if those fraudsters had been a little savvier? What if they had the most recent smart phone application installed and didn’t need a mule to wire the money? They could have simply written checks and uploaded them for deposit to an account to which they had gained access with the hottest application du jour – deposit via photo image uploaded from a smart phone. That application would have allowed the fraudsters to cash the bogus check, gain access to the funds and move them to the next account at will. Or would it? Given the move toward mobile banking, it isn’t really a stretch to see this kind of thing happening. Probably not, but if organizations offering this kind of service use a risk based authentication approach it is more likely they use fraud models and decisioning strategies to minimize fraud and protect consumers while pushing out the latest technology. For those reasons, risk management solutions and enterprise fraud vendors need to not only keep pace with technology but also stay ahead of the curve in order to provide optimized decisions and the most relevant fraud analytics. Considering recent fraud trends and my love affair with mobile everything, I know I want the organizations I do business with to do everything they can to prevent fraud…and I’m positive I want my smart phone to be as smart as possible.
In “An ounce of prevention is worth a pound of cure” Kristan Frend touched on the vulnerabilities faced by members of our Armed Services. That post made me think about recent fraud trends. Over the course of this spring and summer, I attended a few conferences and at one of these events something a bit disturbing occurred – a staff member for one of the exhibitors was victimized during the event. The individual’s wallet, containing cash and credit cards, was stolen along with the person’s passport and the victim didn’t realize it until they received their wake-up call the next morning. The few people who heard about it wondered “How could this happen at an event of industry professionals?” The answer is simple. Even industry professionals are every-day consumers, vulnerable to attack. As part of our Knowledge Based Authentication practice, Experian engages in blind focus group interviews with “every-day consumers” facilitated by an independent consulting group on Experian’s behalf. What we learn during those sessions informs our best practices for many of the fraud products and guides our process for new question generation in Knowledge Based Authentication. It is also an eye-opening experience. Through our research we have learned that participant consumers are now more aware and accepting of Knowledge Based Authentication than in past years. Knowledge Based Authentication has become a bellwether, consumers expect it. They also expect organizations they deal with to have an Identity Theft Prevention Program – and the ability to recognize when something “just isn’t right” about a situation. However, few participants cited a comprehensive strategy to protect themselves against identity theft, and even fewer actually demonstrated a commitment to follow a strategy, even when they had one. During open and honest conversation in a relaxed setting, participants revealed their true behavior. Many admitted they still use the same password for all their accounts, write their passwords down, and keep copies of their passwords in easily accessible places, such as a purse or a wallet, a desk drawer or an online application. The bottom line is this: Most people will attempt to do what they think they should to protect themselves from identity theft, including shredding or tearing up mail offers, selectively using credit cards and/or monitoring their garbage. However, if the process is too cumbersome or if it requires that they remember too much, they will default to old habits. As Kristan pointed out, thieves may increasingly rely on computer attacks to gather data, but many still resort to low-tech methods like dumpster diving, mail tampering, and purse and wallet theft to obtain privacy sensitive information. When that purse or wallet contains not only personally identifiable information, but also account passwords, the risk levels are significantly higher. Cyber attacks are a threat, but a consumer’s own behavior may be just as risky. As for the victim in this story… a very sharp desk clerk at a neighboring hotel thought it strange that someone was checking-in for a number of days without a reservation at full rate and without luggage, which started the ball rolling and led to the perpetrator being caught and the victim getting everything back except for some cash that had been spent at a coffee merchant. Clearly, this close call didn’t turn-out as badly as it could have.
In case you’ve never heard of it, a Babel fish is a small translator; that allows a carrier to understand anything said in any form of language. Alta Vista popularized the name but I believe Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy, should be given credit for coining the term. So, what does a Babel fish have to do with Knowledge Based Authentication? Knowledge Based Authentication is always about the data – I have said this before. There is one universal truth: data doesn’t lie. However, that doesn’t mean it is easy to understand what the data is saying. It is a bit like a foreign language. You may have taken classes, and you can read the language or carry on a passable conversation, but that doesn’t mean it’s a good idea to enter into a contract – at least, not without an attorney who speaks the language, or your very own Babel fish. Setting up the best Knowledge Based Authentication configuration for risk management of your line of business can sometimes seem like that contract in a foreign language. There are many decisions to be made and the number of questions to present and which questions to ask is often the easy part. To truly get the most out of fraud models, it is necessary to consider where the score cuts that will be used with your Knowledge Based Authentication session will be set and what methodology will be used to invoke the Knowledge Based Authentication session: objective score performance, manual review and decision, etc. It is also important to consider the “kind of fraud” you might be seeing. This is where it is helpful to have your very own Babel fish – one designed specifically for fraud trends, fraud data, fraud models and Knowledge Based Authentication. If your vendor doesn’t offer you a Babel fish, ask for one. Yours could have one of many titles, but you will know this person when you speak with them, for their level of understanding of not only your business but, more importantly, your data and what it means. Sometimes the Babel fish will work in Consulting, sometimes in Product Management, sometimes in Analytics – the important thing is that there are fraud-specific experts available to you. Think about that for a minute. Business today is a delicate balance between customer experience/relationship management and risk management. If your vendor can’t offer you a Babel fish, tell them you have fish to fry – elsewhere.
I received a call on my cell phone the other day. It was my bank calling because a transaction outside of my normal behavior pattern tripped a flag in their fraud models. “Hello!\" said the friendly, automated voice, “I’m calling from [bank name] and we need to talk to you about some unusual transaction activity on your account, but before we do, I need to make sure Monica Bellflower has answered the phone. We need to ask you a few questions for security reasons to protect your account. Please hold on a moment.” At this point, the IVR (Interactive Voice Response) system invoked a Knowledge Based Authentication session that the IVR controlled. The IVR, not a call center representative, asked me the Knowledge Based Authentication questions and confirmed the answers with me. When the session was completed, I had been authenticated, and the friendly, automated voice thanked me before launching into the list of transactions to be reviewed. Only when I questioned the transaction was I transferred, immediately – with no hold time, to a human fraud account management specialist. The entire process was seamless and as smooth as butter. Using IVR technology is not new, but using IVR to control a Knowledge Based Authentication session is one way of controlling operational expenses. An example of this is reducing the number of humans that are required, while increasing the ROI made in both the Knowledge Based Authentication tool and the IVR solution. From a risk management standpoint, the use of decisioning strategies and fraud models allows for the objective review of a customer’s transactions, while employing fraud best practices. After all, an IVR never hinted at an answer or helped a customer pass Knowledge Based Authentication, and an IVR didn\'t get hired in a call center for the purpose of committing fraud. These technologies lend themselves well, to fraud alerts and identity theft prevention programs, and also to account management activities. Experian has successfully integrated Knowledge Based Authentication with IVR as part of relationship management and/or risk management solutions. To learn more, visit the Experian website at: https://www.experian.com/decision-analytics/fraud-detection.html?cat1=fraud-management&cat2=detect-and-reduce-fraud). Trust me, Knowledge Based Authentication with IVR is only the beginning. However, the rest will have to wait; right now my high-tech, automated refrigerator is calling to tell me I\'m out of butter.
There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative. Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil. The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep. One of the biggest challenges in discussing Knowledge Based Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions. At this point, most people in the industry agree that static secret questions offer little consumer protection. Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time. Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer. Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know. The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options. These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience. The two are as different as night and day. Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well? If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA. KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience. So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work. As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.
When a client is selecting questions to use, Knowledge Based Authentication is always about the underlying data – or at least it should be. The strength of Knowledge Based Authentication questions will depend, in large part, on the strength of the data and how reliable it is. After all, if you are going to depend on Knowledge Based Authentication for part of your risk management and decisioning strategy the data better be accurate. I’ve heard it said within the industry that clients only want a system that works and they have no interest where the data originates. Personally, I think that opinion is wrong. I think it is closer to the truth to say there are those who would prefer if clients didn’t know where the data that supports their fraud models and Knowledge Based Authentication questions originates; and I think those people “encourage” clients not to ask. It isn’t a secret that many within the industry use public record data as the primary source for their Knowledge Based Authentication products, but what’s important to consider is just how accessible that public record information is. Think about that for a minute. If a vendor can build questions on public record data, can a fraudster find the answers in public record data via an online search? Using Knowledge Based Authentication for fraud account management is a delicate balance between customer experience/relationship management and risk management. Because it is so important, we believe in research – reading the research of well-known and respected groups like Pew, Tower, Javelin, etc. and doing our own research. Based on our research, I know consumers prefer questions that are appropriate and relative to their activity. In other words, if the consumer is engaged in a credit-granting activity, it may be less appropriate to ask questions centered on personal associations and relatives. Questions should be difficult for the fraudster, but not difficult or perceived as inappropriate or intrusive by the true consumer. Additionally, I think questions should be applicable to many clients and many consumers. The question set should use a mix of data sources: public, proprietary, non-credit, credit (if permissible purpose exists) and innovative. Is it appropriate to have in-depth data discussions with clients about each data source? Debatable. Is it appropriate to ensure that each client has an understanding of the questions they ask as part of Knowledge Based Authentication and where the data that supports those questions originates? Absolutely.
Learn More Image
