I’ve often spoke about the many dangers of depending on personally identifiable information (PII) for customer authentication. As we recently learned from the high-profiled credit report celebrity hacking, relying on accessible personal information such as date of birth, mother’s maiden name and Social Security number can put a company’s customers and corporate data at serious risk.
In the article, “FBI Investigating Hackers Who Posted ‘Secret Files’ Of Celebrities, Politicians,” the consumer credit reporting agency, Equifax, released a statement last week confirming that the sensitive financial data that hackers posted on celebrities and political figures was the result of a security breach to the credit reporting agency’s annualcreditreport.com channel, not a break-in to their computer system.
Using PII that could have been accessed through any number of online social networks or public information websites, the perpetrators had enough personal identifying details to correctly answer the challenge questions required to access their intended victims’ private financial files, said Equifax spokesperson, Timothy Klein.
“Our initial investigation shows the perpetrators had the PII of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place. We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter.”
In recent years, cybercriminals impersonating genuine customers or conducting similar social engineering schemes across other sales channels have been responsible for the illegal exposure of tens of thousands of credit reports. These compromises can all lead to identity fraud, account hijacking and other identity-related crimes.
Because customer-impersonating scams are conducted remotely, they can easily be performed over the telephone channel, as well. Social engineering against call center agents is a threat that all financial institutions should not only be concerned with, but adequately prepared for. If we are to learn from incidents like what occurred last week, it’s that relying on knowledge-based authentication (KBA) is not an effective defense against such criminal tactics.
Bank contact centers, which handle billions of calls each year, need an authentication method that goes beyond telephone interrogations such as defeatable security questions. What they need is a security tool that allows them to proactively identify callers before the phone is picked up.
A security tool like the TRUSTID® Physical Caller Authentication solution identifies high-risk calls before the phone conversation begins. Through TRUSTID’s real-time telephone network forensics, banks are able to invisibly identify the physical location of the landline or mobile phone while it is still ringing.
This automated process uses the Caller ID and ANI as trusted sources for validating customers over the telephone. By restoring the usability of calling party numbers to authenticate customers over the phone channel, financial institutions can identify high-risk calls faster, as well as instantly confirm legitimate calls so bank representatives can begin serving customers at the start of each call, without relying on non-predictive and risky PII methods.