Posts Tagged ‘knowledge-based authentication’

Growth of mobile banking reinforces need for multi-factor authentication across all customer channels

Posted on: November 21st, 2012 by art

When it comes to banking, we know customers are looking for ease and convenience. To satisfy those demands, financial institutions are doing whatever they can to provide highly efficient and secure banking environments that allow customers to bank over a number of channels. At this point, it’s safe to say the banks that don’t already offer banking services across multiple channels have missed the boat, and will probably be playing catch up for some time.

According to the report, “The Dangers of Mobile Banking,” convenience appears to be the driving factor behind the rapid growth of mobile banking. The 2011 Customer Trends Survey released some interesting findings, including 70% of customers use their mobile devices for 24×7 banking access while 65% said it saves them time. In other words, customers want to make payments fast and on their terms, whenever they want.

While speed and convenience tops the priority list for many customers, this has created another significant challenge for banks offering new channels — security. With research firm Frost & Sullivan expecting the number of people using mobile banking services to increase from 12 million in 2009 to 45 million by 2014, it really doesn’t matter how many channels banks offer; the simple fact is financial institutions operating without a secured environment won’t be able to retain current customers or win over new ones, no matter how fast and convenient the service is.

Last year’s FFIEC supplemental guidance outlined the blueprint for the level of security that financial institutions need to combat fraud and succeed in today’s competitive banking environment. At the heart of those requirements is customer authentication. This doesn’t mean a single type of authentication solution across all channels, but multiple security tools that give all channels true multi-layered authentication, whether the customer is paying online or requesting a bank transfer over the telephone.

The TrustID® network-based Physical Caller Authentication validates the actual physical location of the landline or mobile phone calling into a bank’s call center to identify the “something you have” device, an essential component of the FFIEC’s multi-factor authentication paradigm. By invisibly validating the Caller ID and ANI before the telephone is picked up, banks can accept business from good customers faster, saving them valuable time on their banking activity. At the same time, financial institutions can secure their telephone channel by spotting spoofed calls in real time to proactively stop criminals from getting through to socially engineer contact center agents.

Courts ruling against banks not compliant with FFIEC regulations

Posted on: November 14th, 2012 by art

A number of recent court cases have ruled against banks for failing to prevent fraudulent bank transfers. While you would think this type of liability would help motivate financial institutions to implement a multi-layered security system that meets the Federal Financial Institutions Examination Council’s (FFIEC) regulations, banks still operate without complying with the new multi-factor authentication recommendations.

In the article, “Coping with the Threat of Fraudulent Funds Transfers,” three banks that have falling victim to fraud may have to pay upwards of $460,000 in damages. That’s a steep price for not implementing adequate security measures to stop the vast scope of criminal schemes like stolen credentials, account takeovers and social engineering that target the financial services industry.

If today’s dangerous cyber attacks or costly court rulings aren’t enough to get banking institutions to comply with the FFIEC guidelines, I don’t know what will.

From an authentication perspective, any financial institution operating today should either be in the process of either implementing or evaluating their current security strategy because that’s what it takes to protect their multiple banking channels against the growing list of fraud attacks. Making sure your bank has the strongest fraud detection solutions in place is essential to building a multi-layered defense that’s needed in today’s quickly changing banking environment.

This means employing at least two of the three types of authentication procedures recommended by the FFIEC for identifying banking customers across multiple banking channels, including online banking and the telephone channel. The three factors include: 1) something the user knows [e.g., password, PIN], 2) something the user has [e.g., ATM card, telephone], and 3) something the user is [e.g., biometric, fingerprint].

For financial institutions that perform high-risk transactions, this is a must. According to a legal memorandum recently published on the NC Bankers Association website, customer authentication that employs a single-factor authentication such as the widely used challenge questions (otherwise known as the knowledge-based authentication (KBA) method), or even two factors of authentication that fall under the same category as defined by the FFIEC, can be defeated by today’s advanced fraud tactics, leaving customer accounts and confidential banking information susceptible to fraud.

Challenge questions are not always effective. When frequently repeated, they are more likely to be exposed to fraudsters. FFIEC guidance notes that a search engine is all it takes to discover the answer to many challenge questions, such as mother’s maiden name or year of graduation. Due to the amount of information available on the Internet, the FFIEC no longer views these basic challenge questions to be an effective risk mitigation technique. 

The ability to prevent various types of fraud attacks across all banking channels requires financial institutions to deploy multiple fraud-fighting solutions that help achieve the FFIEC’s three critical authentication factors. The TRUSTID® Physical Caller Authentication tool is a complementary customer authentication solution that fulfills the important “something the user has” category. Using undetectable network-based caller authentication to validate the Caller ID and ANI, TRUSTID helps financial institutions secure the telephone channel from fraudulent bank transfers.

TRUSTID: A one-way mirror to identifying bank phone fraud

Posted on: November 7th, 2012 by art

Phony bank callbacks. Fake robocalls. Customer impersonators socially engineering call center agents. How does anyone really know who they are talking to over the telephone these days?

Trust over the telephone channel has clearly gotten out of control; so much so that financial institutions today cannot afford to operate without effective authentication tools that allow them to identify whether they are talking to a legitimate customer or an actor hiding behind a spoofed Caller ID or ANI. If not, banking institutions and their customers will continue to fall victim to criminals who successfully socially engineer bank representatives over the phone to obtain personal information and access legitimate bank accounts.

What if you could validate the legitimacy of every call coming into your contact center before your agents even picked up the phone? How valuable would that be to your security strategy, business operations, and your overall ability to provide a better customer experience, all at the same time?

For years, banks have relied on knowledge-based authentication (KBA) tools to identify customers over the telephone. As bank fraud has evolved, particularly over the telephone channel, criminals have found ways around traditional defenses that depend on personally identifiable information (PII) to trick unsuspecting bank reps into divulging private information or allow access to customer accounts.

Various spoofing technologies and the Internet have played roles in the evolution of bank phone fraud, but if we aren’t careful our own defenses can also be counter productive in our efforts to protect our customers and proprietary company information. Relying solely on KBA to identify banking customers over the telephone today is essentially operating under a false sense of security. And if we think we are authenticating customers, when in reality we’re are simply unknowingly letting more through, will only add to the problem and overall fraud loss.

Stopping bank fraud over the telephone channel requires the ability to instantly authenticate inbound phone calls before they are answered. It’s that simple. This doesn’t give criminals the chance to leverage their weapon of choice — the telephone — to perpetrate fraud. And unlike KBA solutions, it doesn’t test the goodwill of our customers through identity-interrogating, which is non-predictive in analyzing risk, anyway.

A security solution like the TRUSTID® Physical Caller Authentication tool works like a one-way mirror to telephone fraud. Using real-time telephone network forensics to invisibly determine the authenticity of the caller’s phone number before the call is answered, TRUSTID instantly validates the physical location of the landline or mobile phone making the call. Financial institutions can use this undetectable caller authentication to stop criminals in their tracks with zero impact to the call center agent’s work time or additional telecom costs.

On the flip side, this non-intrusive method allows banks to route good customer calls to the appropriate operator pool, where a bank representatives can immediately start serving their needs for a better overall customer experience.

Access to mobile phone numbers could lead to social engineering

Posted on: October 17th, 2012 by art

Let’s face it, our mobile phones have become an extension of ourselves, with their whereabouts always within arms reach. The personal information that our smartphones contain goes beyond our own memory, which is exactly why criminals are so keen on targeting our phones, the data they contain and what they can unlock.

Knowing this, it continues to blow my mind when I come across articles like last week’s “Facebook lists user phone numbers for all to see.” In the article, the world’s leading social network still makes available users’ mobile phone numbers for anyone to access. With a little bit of ingenuity, security researcher, Suriya Prakash, said anyone can gain access to the one device that connects our personal and online information.

“I would consider my most ‘personal’ data saved on Facebook to be my mobile number as it is somewhat of a bridge interlinking both my personal and online life. I would not like people I don’t want getting a hold of it.”

With one billion Facebook users out there, this is a treasure trove of personal information for crooks. By collecting something as simple as a mobile phone number, a motivated criminal can begin creating a profile for purpose of social engineering an individual, as well as committing bank fraud if they can match that individual to a bank.

Yet, this is only the tip of the iceberg when it comes to gathering personal information from social websites.

Not quite easily understood are the apps that ask you questions like, “How well do you know John Doe?” Or, run you through a series of personal questions such as, “What is your favorite color?” “We’re was John Doe born?” or “What was John’s first car?” that are answers to many knowledge-based authentication (KBA) solutions.

With a website like Facebook sharing personal identifiable information (PII) with the rest of the world, financial institutions need to have a customer authentication strategy in place that identifies customers over multiple channels, including the telephone channel. Using powerful, real-time telephone network forensics, the TRUSTID® Physical Caller Authentication solution validates the Caller ID and ANI before the telephone is answered. Within seconds, banking institutions can determine if the call is authentic or identify that it is a spoofed call. At that point, the bank can route the call based on risk to the appropriate contact center agent or IVR for processing.

Either way, leveraging TRUSTID’s effective telephone authentication tool can play an important role in preventing social engineering attempts against today’s banking institutions and achieving optimal efficiency.

Does your bank provide a quick, safe, hassle-free customer experience?

Posted on: October 10th, 2012 by art

Quick, effortless, hassle-free query resolutions are what all banking customers want. Unfortunately, in today’s complex, multi-channel banking world, that’s not always what customers get.

Today’s on-the-go customers no longer have the time to talk face-to-face with bank representatives to conduct their financial transactions. For many, the banking experience has gone 100 percent remote. As a result, the process of identifying customers online or over the telephone requires customers to provide various types of personal information to confirm they are who they say they are. These time-consuming knowledge-based authentication (KBA) methods not only test the goodwill of customers, they are not predictive of positively identifying customers.

According to the article, “5 top tips for effortless customer service,” the best banking experience for both customers and banks is one that resolves issues in a timely fashion without requiring anything from the customer. One of the ways organizations are trying to achieve this is by using contact centers to handle priority queries at the first point of engagement with the customer. While serving customers with no effort on the part of the customer is certainly the objective of most financial institutions, reaching this goal isn’t easy.

The article provides a few things businesses need to do to achieve this, which include:

 

  • Enable customer self-service: Different customers prefer different engagement methods. Therefore, providing a self-service approach for customers to navigate their way through a system and resolve a problem would resonate well with customers.
  • Reduce customer effort: The ability to authenticate customers without having them answer a bunch of security questions or provide personal details before they get to the business at hand would make for a better overall customer experience.
  • Minimize obstacles that get in the way: This starts with knowing your customer profile, their typical customer service journey and the problems they are likely to have. Once banks know this, they can create an effortless pathway to make it quick and easy for customers to resolve their problems.
  • Focus on problem solving, not speed: While rapid resolution is the goal, it can come at the expense of quality service. To resolve this, organizations need to have a system in place that quickly and discreetly identifies customers without requiring any effort or personally identifiable information (PII) on their part.

One way to immediately identify banking customers over the telephone without requiring PII or interrupting the customer experience is by validating the Caller ID before the call is answered. This way the customer is not put through any type of phone interrogation and the call center agent can get right to safely servicing the customer the moment they pick up the phone.

The TRUSTID® Physical Caller Authentication tool does this by automatically validating the Caller ID and ANI before the phone is answered to ensure the security of the telephone channel. By remaining invisible to criminals and non-intrusive to customers, TRUSTID identifies the physical location of the landline or mobile phone in real time so financial institutions can see when an incoming call is coming from a legitimate customer or from an entirely different location. This level of validation speeds up the customer authentication process to combat social engineering schemes conducted over the phone and allows banks to better service their customers to improve the overall customer experience.

The changing face of customer authentication

Posted on: September 26th, 2012 by art

During the past month I’ve met with the executive leadership at top tier banks (and other industries) who have direct oversight and accountability for their institution’s customer authentication policy and strategy. What I’ve heard very clearly is that there is a massive change taking place in customer authentication, and there will soon be different rules and different economics in customer service and authentication, particularly in banking. In the authentication industry, there will also be different players.

What we now know is that authentication based on “Something you know,” also known as KBA (knowledge-based authentication) — which interrogates customers with out-of-wallet questions such as “What are the last four digits of your SSN?” — is ineffective at informing a bank who it is communicating with on the other end of the transaction.

We’re told that this is true because any capable criminal can and does repeatedly pass through current identity-interrogation protocols. There’s no impediment and no real barrier thanks to the Internet, data breaches and social media sites such as Facebook, Plaxo and Ancestry.com. These companies publish boat-loads of your customer’s personal information for criminals to read, and that’s why determined criminals can beat KBA telephone interrogations 100% of the time.

I was shocked to hear repeatedly this same point of view from these leaders. While this is insightful, another thing we’ve learned from our work is that the problem is solvable. It’s solvable in both a customer friendly and bank-cost positive way.

More specifically, what we and our customers have learned is this; over 90% of incoming telephone calls present phone numbers that can be converted into very high-quality identity tokens that banks can use to provide higher quality authentication. It also turns out that about 5% of incoming telephone numbers have been intentionally altered, and that anyone can anonymize themselves this way. Even worse, phone number alteration, also referred to as spoofing or phone hacking, allows criminals to gain repeated unchecked illegal access. While I’m not saying 5% of incoming calls are fraudulent (after all, there are legitimate reasons to alter telephone numbers), you can bet that there are criminals lurking in this 5% pool of incoming calls.

TRUSTID may be the only firm that has insight into these facts. We wouldn’t know this information if we didn’t operate as a telecommunications carrier, as we do, and have access to real-time telephone network forensics technology that we’ve developed and is now in production. We are also the only firm that has the technology to tell banks (and other industries required to authenticate customers) in real time which phone numbers are suitable as high-quality, identity-predictive authentication tokens.

So, by converting unvalidated telephone numbers into identity tokens, the authentication process becomes completely automated. By allowing financial institutions to know with great certainty who is on the other end of a call before an agent or IVR answers the phone, TRUSTID allow bank systems and their people to immediately start servicing and up-selling customers.

Our goal at TRUSTID is to simultaneously enable our clients to provide the best customer service experience possible, help grow their share-of-wallet and profitability, and reduce their call center costs by tens of millions of dollars each year. Giving banks the ability to authenticate customers without disrupting the customer experience or falling victim to social engineering can be a powerful way for them to secure their network while also meeting FFIEC demands.

The TRUSTID® Physical Caller Authentication tool is a highly complementary method for identifying customers over the telephone channel. By validating the physical location of the Caller ID and ANI, TRUSTID is making the telephone number a trusted “Something you have” credential for identifying customers while helping banks meet the true definition for multi-factor authentication.

Complying with FFIEC means understanding true multi-factor authentication

Posted on: September 12th, 2012 by art

As we inch closer to Q4 of 2012, by now every financial institution should be adhering to the supplemental FFIEC authentication guidelines released in June 2011. At this point, banks have had plenty of time to create internal initiatives to meet the updated best practice suggestions. Some reports even show that banks have invested and implemented solutions that allow them to meet the updated security standards.

While the focus is certainly there, when it comes to audits financial institutions need to make sure they clearly understand the FFIEC’s definition of layered authentication. According to the FFIEC’s updated multi-factor authentication paradigm for identifying customers, a bank needs to have at least two of the following categories for customer authentication, including:

1. “Something you know” (password, PIN number, personally identifiable information [PII])

2. “Something you are” (fingerprint, DNA, retinal pattern)

3. “Something you have” (ID or ATM card, security token, telephone)

The challenge with fulfilling two of the three categories is the term “two-factor authentication” can be misinterpreted. This is one of the areas that I am continually educating banks about — the FFIEC’s true definition of multi-factor authentication.

For example, using a password or PIN number with a knowledge-based authentication (KBA) solution can appear to meet two factors of authentication, right? According to the recommendations outlined in the FFIEC’s Supplement of the Authentication, both fall under the same category of “Something you know.”

For an myriad of reasons I’ve written about time and time again, I believe this is the most vulnerable category because passwords and PII are no longer predictive of identity. Still, while the FFIEC recognizes “Something you have” as an important component to identifying customers, banks also need to employ another method for authenticating customers outside of knowledge-based information.

The ability to authenticate customers without disrupting the customer experience or falling victim to social engineering can be a powerful way for financial institutions to secure their network while also meeting FFIECE demands. The TRUSTID® Physical Caller Authentication tool is a highly complementary method for identifying customers over the telephone channel. By validating the physical location of the Caller ID and ANI, TRUSTID is making the telephone number a trusted “Something you have” credential for identifying customers while helping banks meet the true definition for multi-factor authentication.

Why customer authentication needs to go straight to the source

Posted on: September 5th, 2012 by art

As financial institutions diligently perform ongoing risk assessments, there has been a lot of push for banks to implement out-of-band authentication solutions to protect their corporate assets and private information.

While I agree it’s important for banking institutions to invest in a layered security strategy to fight everything from card fraud to corporate account takeover, it is my opinion that placing too much emphasis on a verification method that is expensive and frustrating to customers is misleading financial institutions into investing in a solution that, over time, can ultimately be defeated by criminals.

The BankInfoSecurity article, “Banks’ Top Anti-Fraud Investments,” makes some valid points in the types of anti-fraud strategies that banks and credit unions need to deploy to better identify fraud and other malicious activities. However, instead of spotlighting out-of-band authentication, banks would be better off focusing on their core security requirements first rather than investing millions of dollars in out-of-band authentication, or so says Gartner fraud and security analyst, Avivah Litan.

What financial institutions should really be considering are solutions that validate and identify the criminal’s actual device, such as the telephone, that is used to commit bank fraud over the phone channel. As contact center agents field billions of calls each year, banking institutions need to secure the call center, which remains prone to fraud and other advanced social engineering scams.

By focusing on the “something you have” component, fraud managers are going right after the weapon being used to commit the crime without having to employ out-of-wallet security questions or conduct long telephone interrogations that are vulnerable to clever scams that can fool these and other knowledge-based authentication (KBA) techniques.

The thing that distinguishes the TRUSTID® Physical Caller Authentication tool from other anti-fraud solutions is it goes straight to the source of the crime — the telephone’s physical location — to invisibly validate the Caller ID and ANI before the call is even answered. Having this level of real-time intelligence to determine if a caller is genuine or a risk can play a key role in a bank’s ability to identify and reduce fraud rates.

Re-establishing Caller ID as a trusted source for customer authentication

Posted on: August 29th, 2012 by art

From a security standpoint, Caller ID, in recent years, has been dead in the water.

For decades, financial institutions relied on Caller ID and ANI to identify calling party numbers for things like new account applications, bank card activation, money transfers and servicing customers. But times have changed.

Today, criminals have access to too many tools, too many resources, and have gathered too much information they can use to socially engineer a bank’s contact center. The Caller ID just happens to be the telephonic “mask” that crooks hide behind to fool unsuspecting call center agents into thinking they are someone else.

Criminals are so good at spoofing Caller ID and using personal information to defeat knowledge-based authentication (KBA) solutions that the Caller ID and ANI have become unvalidated claims that are no longer effective in customer identification. Yet, many banks still rely heavily on personally identifiable information (PII), including the Caller ID, to identify their customers.

Placing a high amount of trust in “what you know” methods of authentication today can leave your customers and confidential data vulnerable to sophisticated telephone-based scams. In fact, relying solely on KBA may be more dangerous than not using it at all. In other words, if a bank rep is fooled into believing the lie cooked up through Caller ID spoofing and social engineering, crooks have set the stage to commit fraud right under their nose. This alone should be enough to put financial institutions on guard, particularly as more and more studies find that telephone-based fraud is on the rise.

According to the recent Dark Reading article, “Phone Fraud Up 30 Percent,” nine out of 10 U.S. banks have been targeted in one way or another by phone fraudsters. Apparently, it seems that criminals are using the telephone to defraud banks because it’s easier to trick someone over the phone into divulging private information than getting passed a firewall or breaking into a website.

For some time now, Caller ID has not been a trustworthy source that banks can count on to validate their customers. But the TRUSTID® Physical Caller Authentication solution is changing all of that.

By automatically validating the physical location of the telephone calling into a contact center pre-answered, bank agents are no longer fooled by Caller ID spoofing or social engineering schemes because calls are validated before the phone is picked up. This innovative, proactive approach to customer authentication is helping re-establish Caller ID and ANI as trusted sources for authenticating customers and, once again, making the telephone channel a secure, cost-effective channel to do business and service customers.

Is your call center one of the weakest links in your security chain?

Posted on: August 22nd, 2012 by art

There has been a growing sentiment with the fraud-fighting community about the efficacy of ‘what you know’ anti-fraud methods. The recent disclosure of a two-year account takeover scheme against Bank of America seems to illustrate where we are as an industry, where we need to be, and that even the most reputable and highly secured financial institutions like BofA face the daily challenges of balancing fraud and the customer experience.

In the BankInfoSecurity.com article, “Takeover Scheme Targets Bank of America,” seven people were accused of stealing more than $350,000 in fraudulent funds transfers. The scam, which authorities say was largely orchestrated through the bank’s online and telephone channels, underscores the need for financial institutions to improve their cross-channel fraud detection capabilities, said Jason Malo, who covers financial fraud for CEB TowerGroup.

“‘What you know’ is, by itself, not good enough for the online channel. It shouldn’t be good enough for the other channels.”

He goes on to say that criminals are increasingly exploiting vulnerabilities in security systems that rely on knowledge-based authentication (KBA) to identify banking customers.

“There seem to be more incidents involving customer-support channels. The breakdown here seems to be at the account-opening level, where the runners had information on the accountholder and were able to answer security questions about the account.”

This echoes something I’ve been saying all along — how KBA solutions alone are no longer effective against today’s social engineering schemes. Even Gartner fraud analyst, Avivah Litan, agrees. She concluded that the fraudsters in this particular case probably found it easy to trick BofA call center agents into divulging the personal information they needed to add sub-accounts to existing accounts to transfer stolen funds from. It’s a growing fraud practice, she says, that stems from security weaknesses in the telephone channel.

“Banks need to pay more attention to call-center identity-proofing practices. This has been notoriously weak at banks, and is one of the weakest links in their security chain.”

Coming from one of the fraud industry’s leading authorities, I’d say banks need to sit up and take note. In my opinion, this says it all. To protect banking customers and their accounts, financial institutions need to add the ‘something you have’ authentication component to their existing security arsenal to effectively fight and prevent bank fraud over the telephone channel.

The TRUSTID® Physical Caller Authentication solution does just that. By validating the physical location of the telephone used to call a bank’s contact center before the phone is answered, TRUSTID provides a complementary solution to other anti-fraud methods, including KBA, to give banking institutions true multi-factor authentication that’s often missing in many of today’s cross-channel fraud defenses.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TRUSTID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TRUSTID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank