Tag: fraud

By: Andrew Gulledge Bridgekeeper: “What is the air-speed velocity of an unladen swallow?” King Arthur: “What do you mean?  An African or European swallow?” Here are some additional reasons why the concept of an “average fraud rate” is too complex to be meaningful. Different levels of authentication strength Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates.  Let’s say Company A has a knowledge-based authentication strategy configured to give them a 95% pass rate, while Company B is set up to get a 70% pass rate.  All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy.  If you lower the bar you’ll definitely have fewer false positives, but you’ll also have more frauds getting through.  An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools. Natural instability of fraud behavior Fraud behavior can be volatile.  For openers, one fraudster seldom equals one fraud attempt.  Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each.  You might have, for example, a hundred fraud attempts from the same computer-tanned jackass.  Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters.  What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality.  This volatility, in and of itself, correlates to a greater degree of variance in fraud rates, further depleting the value of an “average fraud rate” metric. Limited fraud data It’s also worth noting that we only know which of our authentication transactions end up being frauds when our clients tell us after the fact.  While plenty of folks do send us known fraud data (thus opening up the possibility of invaluable analysis and consulting), many of our clients do not.  Therefore even if all of the aforementioned complexity were not the case, we would still be limited in our ability to provide global benchmarks such as an “average fraud rate.” Therefore, what? This is not to say that there is no such thing as a true average fraud rate, particularly at the industry level.  But you should take any claims of an authoritative average with a grain of salt.  At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next.  It is much more important to know YOUR average fraud rate, than THE average fraud rate.  You can estimate your natural fraud rate through a champion/challenger process, or even by letting the floodgates open for a few days (or however long it takes to gather a meaningful sample of known frauds), then letting the frauds bake out over time.  You can compare the strategy fraud rates and false positive ratios of two (or more) competing fraud prevention strategies.  You can track your own fraud rates and fraud trends over time. There are plenty of things you can do to create standardize metrics of fraud incidence, but good heavens for the next person to ask me what our average fraud rate is, the answer is “No.”

The U.S. Senate passed legislation recently that would exempt certain businesses from complying with the Red Flags Rule.  Sponsored by Senator John Thune (R-SD), the bill (S. 3987) creates an exception to the Red Flags Rule for businesses that do not advance funds to a customer. The bill would, for example, redefine the term “creditor” as currently described under the Red Flags Rule guidelines, to apply only to those businesses who advance funds to, or on behalf of, a customer, and based upon an obligation to repay those advanced funds.  The legislation also still provides the Federal Trade Commission with authority to require certain organizations to comply with the Red Flags Rule. The legislation now moves to the U.S. House of Representatives, where the chamber must approve the bill before the end of the year in order for the bill to become law.  This may alleviate many businesses in industries such as law practices, healthcare providers (particularly solo practitioners), and perhaps some service providers in telecommunications and utilities.  However, it is likely that many businesses in the utilities space will still fall under Red Flags Rule enforcement given their accessing of consumer credit profiles in many of their application processing procedures.  Again, one has to wonder what the original intent of the Red Flags Rule was.  If it was to protect consumers from identity theft and other fraud schemes via a robust identity theft prevention program, then vastly narrowing the businesses under which potential enforcement applies seems counter-productive.  The advancement of funds or not doesn’t necessarily add to or reduce risk of fraud, as much as the actual obtainment of accounts and services with identity information…regardless of industry.  More to follow…

As the December 31st deadline approaches for FTC enforcement of the Red Flags Rule, we still seem quite a ways off from getting out from under the cloud of confusion and debate related to the definition of ‘creditor’ under the statutory provisions. For example, the Thune-Begich amendment to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors” looks to greatly narrow the definition of creditor under the Rule, and therefore narrow the universe of businesses and institutions covered by the Red Flags Rule. The question remains, and will remain far past the December 31 enforcement deadline, as to how narrow the ‘creditor’ universe gets. Will this amendment be effective in excluding those types of entities generally not in the business of extending credit (such as physicians, lawyers, and other service providers) even if they do provide service in advance of payment collection or billing? Will this amendment exclude more broadly, for example ‘buy-here, pay-here’ auto dealers who don’t extend credit or furnish data to a credit reporting agency? Finally, is this the tip of an iceberg in which more entities opt out of the requirement for robust and effective identity theft prevention programs? So one has to ask if the original Red Flags Rule intent to “require many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts” still holds true? Or is the idea of protecting consumer identities only a good one when it is convenient? It doesn’t appear to be linked with fraud risk as healthcare fraud, for example, is of major concern to most practitioners and service providers in that particular industry. Lastly, from an efficiency perspective, this debate would likely have been better timed at the drafting of the Red Flags Rule, and prior to the implementation of Red Flags programs across industries that may be ultimately excluded.

As E-Government customer demand and opportunity increases, so too will regulatory requirements and associated guidance become more standardized and uniformly adopted.  Regardless of credentialing techniques and ongoing access management, all enrollment processes must continue to be founded in accurate and, most importantly, predictive risk-based authentication. Such authentication tools must be able to evolve as new technologies and data assets become available, as compliance requirements and guidance become more defined, and as specific fraud threats align with various access channels and unique customer segments. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft.  To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces. The National Institute of Standards and Technology, in special publication 800-63, defines electronic authentication (E-authentication) as “the process of establishing confidence in user identities electronically presented to an information system”. Since, as stated in publication 800-63, “individuals are enrolled and undergo an identity proofing process in which their identity is bound to an authentication secret, called a token”, it is imperative that identity proofing is founded in an approach that generates confidence in the authentication process. Experian believes that a risk-based approach that can separate valid from invalid identities using a combination of data and proven quantitative techniques is best. As “individuals are remotely authenticated to systems and applications over an open network, using a token in an authentication protocol”, enrollment processes that drive ultimate provision of tokens must be implemented with an eye towards identity risk, and not simply a series of checks against one or more third party data assets. If the “keys to the kingdom” are housed in the ongoing use of tokens provided by Credentials Service Providers (CRA) and binding credentials to that token, trusted Registration Authorities (RA) must employ highly predictive identity proofing techniques designed to segment true, low-risk identities from identities that may have been manipulated, fabricated, or in true-form are subject to fraudulent use, abuse or victimization. Many compliance-oriented authentication requirements (ex. USA PATRIOT Act, FACTA Red Flags Rule) and resultant processes hinge upon identity element (ex. name, address, Social Security number, phone number) validation and verification checks. Without minimizing the importance of performing such checks, the purpose of a more risk-based approach to authentication is to leverage other data sources and quantitative techniques to further assess the probability of fraudulent behavior.

Experian recently contributed to a TSYS whitepaper focused on the various threats associated with first party fraud. I think the paper does a good job at summarizing the problem, and points out some very important strategies that can be employed to help both prevent first party fraud losses and detect those already in an institution’s active and collections account populations. I’d urge you to have a look at this paper as you begin asking the right questions within your own organization. Watch here The bad news is that first party fraud may currently account for up to 20 percent of credit charge-offs. The good news is that scoring models (using a combination of credit attributes and identity element analysis) targeted at various first party fraud schemes such as Bust Out, Never Pay, and even Synthetic Identity are quite effective in all phases of the customer lifecycle. Appropriate implementation of these models, usually involving coordinated decisioning strategies across both fraud and credit policies, can stem many losses either at account acquisition, or at least early enough in an account management stage, to substantially reduce average fraud balances. The key is to prevent these accounts from ending up in collections queues where they’ll never have any chance of actually being collected upon. A traditional customer information program and identity theft prevention program (associated, for example with the Red Flags Rule) will often fail to identify first party fraud, as these are founded in identity element verification and validation, checks that often ‘pass’ when applied to first party fraudsters.

By: Kenneth Pruett I really thought I was going to be on easy street after receiving two emails in less than a week. The first email was telling me about some long lost relative in the UK who passed away over 10 years ago. His riches, which were over $20million dollars, would be forfeited to the government if an heir to the fortune did not claim the money. I was impressed how they figured out that I was the long lost “heir” to this millionaire just by looking at my email address. They also identified me specifically by calling me by name, “Dear Sir”.  The other email was a bit more intriguing. It involved a suitcase full of money. This was sent to me by a woman, who was in an abusive relationship but somehow had a chest full of money in America. For a certain % of the money, she was willing to pay me for my efforts to help her gain access to the suitcase and its contents. I am still surprised at just how many people fall victim to these types of email scams. They have been going on for quite some time, commonly known as the Nigerian 419 scam. I have noticed that the emails have changed a bit and seem to have become more convincing. The scammers also seem to be a bit more patient and work harder to gain the victims confidence in the legitimacy of the transaction. Individuals who give their information to these scammers will soon find out what a big mistake they have made. The goal of these groups is to gain access to a consumer’s money. They also will attempt to gather personal and banking information. Some victims of these scams may end up having their identity stolen. If they do attempt to use the identity information, they will typically make multiple attempts in a short period of time to establish credit. One way to help fight this type of organized fraud ring activity is to use velocity checks to track data elements. For example, a bank may want to know if a Social Security number has been used more than once within a certain period of time. Fraud analytic studies have also found that tracking data elements across multiple customers can also be very predictive in preventing fraud tied to identity theft rings. Elements often tracked are things like addresses, Social Security numbers and phone numbers. If these scammers attempt to take over consumers current bank accounts, they may attempt to change the address and possibly the phone number on the account. This is to prevent the true consumer from getting a phone call or mail relating to their account changes. Before making these changes, many entities often send out letters or make calls to the prior information before officially making these changes in their systems.  One other way to protect against account take over is to run the address and/or phone number against database of known frauds. A National Fraud Database can be helpful in identifying addresses that have been used in previous fraud activity. The Nigerian 419 scams will continue to be a problem. The need for money is just too great for some people to resist. For Banks, Card issuers, and Credit Unions, it is wise to put tools in place to help fight identity theft. This scam only represents a sample of the various fraudulent groups out there who make their living by ripping off these types of businesses. As I often say to my customers… I have done about everything in the fraud space, except commit it, which is the most profitable area. Good luck in your efforts to help us fight this ongoing problem.

In my last entry I mentioned how we’re working with more and more clients that are ramping up their fraud and compliance processes to ensure Red Flag compliance. But it’s not just the FACT Act Identity Theft Program requirements that are garnering all the attention.  As every financial institution is painfully aware, numerous compliance requirements exist around the USA PATRIOT Act and Know Your Customer, Anti-Money Laundering, e-Signature and more. Legislation for banks, lenders, and other financial services organizations are only likely to increase with President Obama’s appointment of Elizabeth Warren to the new Bureau of Consumer Financial Protection. Typically FI’s must perform due diligence across more than one of these requirements, all the while balancing the competing pressures of revenue growth, customer experience, fraud referral rates, and risk management. Here’s a case where we were able to offer a solution to one client’s complex needs.  Recently, we were approached by a bank’s sales channel that needed to automate their Customer Information Program (CIP). The bank’s risk and compliance department had provided guidelines based on their interpretation of due diligence appropriate for CIP and now the Sales group had to find a tool that could facilitate these guidelines and decision appropriately. The challenge was doing so without a costly custom solution, not sacrificing their current customer service SLA’s, and being able to define the criteria in the CIP decisioning rather than a stock interpretation. The solution was to invest in a customer authentication product that offered flexible, adaptable “off the shelf” decisioning along with knowledge based authentication, aka out of wallet questions. The fact that the logic was hosted reduced costly and time consuming software and hardware implementations while at the same time allowing easy modification should their CIP criteria change or pass and review rates need to be tweaked. The net result? Consistent customer treatment and objective application of the CIP guidelines, more cross selling confidence, and the ability to refer only those applicants with fraud alerts or who did not meet the name, address, SSN, and DOB check for further authentication.

Another consumer protection article in the news recently highlighted some fraud best practices for social networking sites. Click here to read the article. When I say fraud best practices, I mean best practices to minimize fraud and identity theft risk…not best practices for fraudsters. Although I wonder if by advising consumers about new fraud trends and methods, some fraudsters are picking up new tips and tricks? Anyway, many of the suggestions in the article are common sense items that have been making the rounds for some time now: don’t post vacation plans, things that might provide clues to your passwords or secret questions, etc. What I found surprising was that this list of “6 Things You Should Never Reveal on Facebook” still included birth date and place and home address. Are people overly trusting or just simply unaware of the risk of providing personal identifying information out in cyber space, unsecured? The US government has gone to a lot of trouble to protect consumers from identity theft through its issuance of the Red Flags rule and Red Flags guidelines for financial institutions of all types. I work with many clients that are going to large efforts to meet these important goals for fraud and compliance. Not just because the legislation requires it but because they know it is in the best interest of fostering long term and trust-based relationships with their customers. But just as much responsibility lies on us as consumers to protect ourselves. Each individual or family should have their own little identity theft prevention program that includes: guidelines for sharing information on social networking sites, shredding of paper documents with personal data, safe storage of passwords (i.e. not written down by your computer!), and up to date virus and malware protection on their computer.

Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg. There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements: Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud. Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs. Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim. Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (https://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions. However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.

Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers.  Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new.  Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as check to ensure the submitted number is in an SSA valid issue range.  But the two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead.  That seems ludicrous!  But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this?  As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well.  For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores.

Working with clients in the financial sector means keeping an eye toward compliance and regulations like the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). It doesn’t really matter what kind of product it is, if a client is a financial institution (FI) of some kind, one of these three pieces of legislation is probably going to apply. The good part is, these clients know it and typically have staff dedicated to these functions. In my experience, where most clients need help is in understanding which regulations apply or what might be allowed under each. The truth is, a product designed to minimize fraud, like knowledge based authentication, will function the same whether using FCRA regulated or non-FCRA regulated data. The differences will be in the fraud models used with the product, the decisioning strategies set-up, the questions asked and the data sources of those questions. Under GLB it is acceptable to use fraud analytics for detection purposes, as fraud detection is an approved GLB exception. However, under FCRA rules, fraud detection is not a recognized permissible purpose (for accessing a consumer’s data). Instead, written instructions (of the consumer) may be used as the permissible purpose, or another permissible purpose permitted under FCRA; such as legitimate business need due to risk of financial loss. Fraud best practices dictate engaging with clients, and their compliance teams, to ensure the correct product has been selected based on client fraud trends and client needs. A risk based authentication approach, using all available data and appropriately decisioning on that data, whether or not it includes out of wallet questions, provides the most efficient management of risk for clients and best experience for consumers.

By: Kristan Frend It seems as though desperate times call for desperate measures- with revenues down and business loans tougher than ever to get, “shelf” and “shell” companies appear to be on the rise. First let’s look at the difference between the two: Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. According to the Better Business Bureau, off-the-shelf structures were historically used to streamline a start-up, but selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy - 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations. The moral of the story? Avoid being the next victim and refine and revisit your fraud best practices today. Click here for more information on Experian's BizID

The overarching ‘business driver’ in adopting a risk-based authentication strategy, particularly one that is founded in analytics and proven scores, is the predictive ‘lift’ associated with using scoring in place of a more binary rule set. While basic identity element verification checks, such as name, address, Social Security number, date-of-birth, and phone number are important identity proofing treatments, when viewed in isolation, they are not nearly as effective in predicting actual fraud risk. In other words, the presence of positive verification across multiple identity elements does not, alone, provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent. Conversely, negative identity element verification results may be associated with both ‘true’ or ‘good’ customers as well as fraudulent ones. In other words, these false positive and false negative conditions lead to a lack of predictive value and confidence as well as inefficient and unnecessary referral and out-sort volumes. The most predictive authentication and fraud models are those that incorporate multiple data assets spanning traditionally used customer information categories such as public records and demographic data, but also utilize, when possible, credit history attributes, and historic application and inquiry records. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft, application fraud, or other fraud risk. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces.

By: Kristan Frend As if business owners need one more thing to worry about — according to the Javelin Strategy & Research’s 2010 Identity Fraud Survey Report, respondents who defined themselves as “self-employed” or “small business owners” were one-and-a-half times more likely to be victims of identity theft. Intuitively this makes sense- business owners exposure would be higher than the average consumer as their information is viewed more often due to the broad array of business service needs. Also consider the fact that until recently, multiple states had public records containing proprietors social security numbers as tax identification numbers readily accessible on-line. What a perfect storm this has all created! Javelin’s report also explained that while the average fraud incidence for business owners was lower than the average consumers, small business owner’s consumer costs were higher.  In other words the small business owner suffered more out of pocket costs for identity theft losses than the average consumer. Experts believe this is due to the fact that commercial accounts often do not receive the same fraud guarantee protections that consumer accounts are afforded. While compliance regulations such as Red Flags Rules will enhance consumer safety, institutions must further develop their prevention and protection methods beyond what is legally required to sufficiently protect their small business customers from future fraud attacks. Small business owner fraud and the challenges organizations face in identifying and mitigating these losses are frequently overlooked and overshadowed by consumer fraud. Simply put, fraud is prevented because fraud is detected- verifying that the business owners is who they say they are using multiple data sources is critical to identifying applicant irregularities and protecting small business owners. A well-executed fraud strategy is more than just good business – it helps reduce small business customer acquisition costs and ultimately allows you to make better business decisions, creating a mutually beneficial relationship between your organization and the small business owner.  

There are a number of people within the industry heralding the death of knowledge based authentication. To those people I would say, “In my humble opinion you are as wrong as those recent tweets proclaiming the death of Bill Cosby.” Before anyone’s head spins around, let me explain. When I talk about knowledge based authentication and out of wallet questions, I mean it in the truest sense, a la dynamic questions presented as a pop quiz and not the secret questions you answered when you set-up an account. Dynamic knowledge based authentication presents questions are generated from information known about the consumer, concerning things the true consumer would know and a fraudster wouldn’t. The key to success, and the key to good questions, is the data, which I have said many, many times before. The truth is every tool will let some fraud through; otherwise, you’re keeping too many good customers away. But if knowledge based authentication truly fails, there are two places to look: Data: There are knowledge based authentication providers who rely solely on public record data for their KBA solutions. In my opinion, that data is a higher data risk segment for compromise. Experian’s knowledge based authentication practice is disciplined and includes a mix of data. Our research has shown us that a question set should, ideally, include questions that are proprietary, non-credit, credit and innovative. Yes, it may make sense to include some public record data in a question set, but should it be the basis for the entire question set? Providers who can rely on their own data, or a strategic combination of data sources, rather than purchasing it from one of the large data aggregators are, in my opinion, at an advantage because fraudsters would need to compromise multiple sources in order to “game the system.” Actual KBA use: Knowledge based authentication works best as part of a risk management strategy where risk based authentication is a component within the framework and not the single, determining factor for passing a consumer. Our research has shown that clients who combine fraud analytics and a score with knowledge based authentication can increase authentication performance from 20% - 30% or more, depending on the portfolio and type of fraud (ID Fraud vs. First Party, etc.)… and adding a score has the obvious benefit of increasing fraud detection, but it also allows organizations to prioritize review rates efficiently while protecting the consumer experience. So before we write the obituary of KBA, let’s challenge those who tinker with out of wallet products, building lists of meaningless questions that a 5th grader could answer. Embrace optimized decisions with risk based authentication and employ fraud best practices in your use of KBA.