A case against using one-time passwords and KBA to authenticate customers

Posted on: November 16th, 2016 by Art Barger

One-time passwords (OTP), much like knowledge-based authentication (KBA), were once reliable sources for customer identification. In recent years, however, data breaches and the underground economy have reduced the level of security that these conventional authentication methods once provided to banks and businesses over the telephone channel.

The article, “Mobile Fraud Changes Look for Multifactor Authentication,” suggests that in today’s business environment identifying customers with OTPs such as short message service (SMS) and other KBA solutions can leave financial institutions vulnerable to malware and other man-in-the-middle scams designed to intercept banking transactions. The National Institute of Standards and Technology (NIST) even discourages the use of SMS-based two-factor authentication to identify customers.

With advanced mobile malware targeting customers’ credentials and SMS passcodes, there continues to be growing support against banks using outdated SMS and knowledge-based authentication tools to validate customers over the phone. These methods not only create a false trust within a contact center environment, they weaken the customer experience and profitable bank-customer relationships when putting callers through lengthy and frustrating telephone interrogations.

To create a seamless banking journey and protect enterprises from dangerous malware and social engineering schemes aimed at stealing personal customer information, NIST is issuing recommendations that call for banks to implement alternative authentication factors that help achieve true multifactor authentication processes that 1) validate the calling device, 2) identify the person making the call, and 3) verify what they know.

Next-generation customer identification tools like the TRUSTID® Physical Caller Authentication provide credentials that allow banks to instantly verify where the call is coming from. Before a call is picked up, TRUSTID helps banks fulfill the “something you have” criteria that NIST recommends for multifactor authentication. And by invisibly validating the risk of the call through the device’s calling location, financial institutions can create a more seamless experience for good customers who aren’t required to answer a bunch of security questions. Instead, call center agents can immediately begin addressing their issues for faster call resolution.

As for crooks that rely on banks using OTP and KBA methods so they can launch social engineering and SMS-based attacks, TRUSTID automatically removes them from the telephone system. By eliminating spoofed calls that reach contact center operators, banks can reduce fraud losses and associated their costs while building stronger trust and loyalty with their good customers.