During the past month I’ve met with the executive leadership at top tier banks (and other industries) who have direct oversight and accountability for their institution’s customer authentication policy and strategy. What I’ve heard very clearly is that there is a massive change taking place in customer authentication, and there will soon be different rules and different economics in customer service and authentication, particularly in banking. In the authentication industry, there will also be different players.
What we now know is that authentication based on “Something you know,” also known as KBA (knowledge-based authentication) — which interrogates customers with out-of-wallet questions such as “What are the last four digits of your SSN?” — is ineffective at informing a bank who it is communicating with on the other end of the transaction.
We’re told that this is true because any capable criminal can and does repeatedly pass through current identity-interrogation protocols. There’s no impediment and no real barrier thanks to the Internet, data breaches and social media sites such as Facebook, Plaxo and Ancestry.com. These companies publish boat-loads of your customer’s personal information for criminals to read, and that’s why determined criminals can beat KBA telephone interrogations 100% of the time.
I was shocked to hear repeatedly this same point of view from these leaders. While this is insightful, another thing we’ve learned from our work is that the problem is solvable. It’s solvable in both a customer friendly and bank-cost positive way.
More specifically, what we and our customers have learned is this; over 90% of incoming telephone calls present phone numbers that can be converted into very high-quality identity tokens that banks can use to provide higher quality authentication. It also turns out that about 5% of incoming telephone numbers have been intentionally altered, and that anyone can anonymize themselves this way. Even worse, phone number alteration, also referred to as spoofing or phone hacking, allows criminals to gain repeated unchecked illegal access. While I’m not saying 5% of incoming calls are fraudulent (after all, there are legitimate reasons to alter telephone numbers), you can bet that there are criminals lurking in this 5% pool of incoming calls.
TRUSTID may be the only firm that has insight into these facts. We wouldn’t know this information if we didn’t operate as a telecommunications carrier, as we do, and have access to real-time telephone network forensics technology that we’ve developed and is now in production. We are also the only firm that has the technology to tell banks (and other industries required to authenticate customers) in real time which phone numbers are suitable as high-quality, identity-predictive authentication tokens.
So, by converting unvalidated telephone numbers into identity tokens, the authentication process becomes completely automated. By allowing financial institutions to know with great certainty who is on the other end of a call before an agent or IVR answers the phone, TRUSTID allow bank systems and their people to immediately start servicing and up-selling customers.
Our goal at TRUSTID is to simultaneously enable our clients to provide the best customer service experience possible, help grow their share-of-wallet and profitability, and reduce their call center costs by tens of millions of dollars each year. Giving banks the ability to authenticate customers without disrupting the customer experience or falling victim to social engineering can be a powerful way for them to secure their network while also meeting FFIEC demands.
The TRUSTID® Physical Caller Authentication tool is a highly complementary method for identifying customers over the telephone channel. By validating the physical location of the Caller ID and ANI, TRUSTID is making the telephone number a trusted “Something you have” credential for identifying customers while helping banks meet the true definition for multi-factor authentication.