Are social engineers getting a free pass on authentication?

Posted on: March 02nd, 2017 by Art Barger

Many banking institutions still use login credentials that require knowledge-based information to access their financial accounts. Today, using personal data to authenticate customers poses a major risk to businesses as it is essentially taking a “fill-in-the-blanks” approach to customer identification. No matter which channel your customers prefer to bank on, relying on security questions or telephone interrogations to identify customers gives social engineers a better chance at beating knowledge-based authentication (KBA) defenses versus automated authentication, which proactively validates customers behind the scenes.

According to the article, “Social Engineering Scams Evolve & Threaten Financial Institutions,” an Agari survey of U.S. security leaders found that 94 percent consider social engineering a significant business threat, with 65 percent of attacks involving login credentials. If we know that fraudsters are using login credentials to gain access to their customers‘ financial accounts, then we need to steer away from KBA methods that are highly susceptible to social engineering scams.

Knowledge-based information that is collected online or purchased on an underground website works against knowledge-based tools that required customers to enter their date of birth, mother’s maiden name or last four digits of their Social Security number. Armed with sensitive customer data that crooks have stolen or purchased on the Internet, hackers can answer questions to access a customer account, hijack an the account by changing the password, or make swift financial transactions to another account.

The same is true for contact centers. With the right information in hand, social engineers can theoretically pass a telephone interrogation by correctly answering a bank agent’s challenge questions, and give social engineers a free pass on authentication.

Like any test, KBA solutions are designed to have customers answer a bunch of questions through personal knowledge and memorization, although even that can fail sometimes. Social engineers, on the other hand, are essentially cheaters who have stolen the answers to the test. With the cheat sheet in hand, they can pass the test and gain access to other people’s accounts.

Automated authentication tools like the TRUSTID® Physical Caller Authentication solution removes the test — whether in the form of security questions or a telephone interrogation — to better protect your banking environment against social engineering and other fraud scams. When prepared fraudsters don’t have a list of questions to answer, they have nothing to beat. Their game is over before it starts.  

By automatically verifying the level of risk before a caller can answer a single question, you’ve removed a social engineer’s free pass to authentication. This creates a more secure environment for your legitimate customers to resolve issues faster and make financial transactions with confidence.