In today’s fraud landscape, a single layer of authentication can be an open door invitation to fraud. These may sound like harsh words, but the fact of the matter is, they’re true. Any financial institution that relies on one security technology is going to run into trouble. If not today, then some time down the road. It’s really just a matter of time.
The recent Investors.com article, “Zappos Breach Shows Hacker Hits Just Keep Coming,” hits the nail on the head in regard to layered security. Despite technology improvements, even the most secured companies with layered security can be penetrated to a certain degree, said Amir Orad, CEO of the financial services security firm, Nice Actimize.
“It shows the value of layered security. One has to assume that some of the layers will be breached — if not today, then tomorrow.”
Having a multi-layered defense that includes two-factor identification technology can make a big difference in how far a perpetrator gets and how much confidential customer or company data they get away with. This is why the new Federal Financial Institutions Examination Council (FFIEC) security guidelines call for banks to use layered authentication to minimize the risk of fraud. More specific, having at least two of the following three categories is essential to meeting this authentication criteria:
1. “Something you know” (e.g., password, PIN number, personally identifiable information [PII])
2. “Something you are” (e.g., fingerprint, retinal pattern, DNA)
3. “Something you have” (e.g., ID or ATM card, security token, telephone)
Most banks use both passwords and knowledge-based authentication (KBA) techniques (security questions) to identify customers. The problem is both of these methods fall within the same (“Something you know”) category. This not only leaves financial institutions susceptible to criminals who know all the information, they are not in compliance with the FFIEC’s new multi-factor authentication recommendations.
When it comes to one of the most widely used banking channels today — the telephone — the TrustID® network-based Physical Caller Authentication tool takes a unique approach to authenticating customers dialing into a bank’s call center. Instead of relying on what the caller knows, TrustID makes the telephone number a valid “Something you have” credential by automatically validating the claim of Caller ID and ANI before the call is answered. This, combined with authentication methods that use KBA, PII or PIN numbers to identify customers, gives banks a critical layer of defense needed for protecting customer and company data, and at the same time, helps them meet the FFIEC’s guidelines for true multi-factor authentication.
Tags: ANI, automatic number identification, bank fraud, call center fraud, FFIEC, KBA, knowledge-based authentication, layered security, multi-factor authentication, personally identifiable information, Physical Caller Authentication, PII, telephone channel, TrustID