Is KBA a step backwards in caller authentication?

Posted on: July 23rd, 2015 by Art Barger

A recent fraud case provides 200 million reasons why knowledge-based authentication (KBA) solutions are no longer valid for customer validation.

In the article, “Breached PII: Why KBA Has to Go,” a Vietnamese hacker was convicted of stealing and selling the identities of 200 million U.S. citizens. The personal data that prompted more than three million queries on the fraudulent website included names, dates of birth, Social security numbers, bank account numbers and bank routing numbers. And this is just a single operation. If this isn’t telling us how dangerous it is to rely on personally identifiable information (PII) to authenticate customers, then I don’t know what is.

For years now, I’ve been writing about the risk of trusting PII for customer identification over the telephone channel. While the industry is slowly but surely coming to this overdue realization, we still have a ways to go.

John Buzzard, payments fraud manager at FIS Global, said sophisticated fraud operations like these should be a wakeup call for banking institutions to enhance their customer authentication processes.

“The mere presence of so much powerful data in the hands of criminals should remind everyone that multilayered security and authentication needs to be standard practice and less of an option.”

Over the past handful of years, stolen PII has been one of the biggest assets used by criminals to perpetrate fraud over the telephone channel. Trusting personal information to authenticate customers over the telephone is one of the slowest and weakest ways to identify callers today.

Think about it. Investing in tens or maybe hundreds of thousands of lengthy interrogations between your call center agents and customers each year not only increases your annual operating costs, it doesn’t do anything to improve efficiencies, enhance your authentication process or protect your customers. In fact, I would argue that it puts your phone channel and customers at greater risk when you’re relying on data that can be specifically used to trick reps into divulging private and proprietary information.

Not only is using sensitive customer data no longer needed to validate customers, it could very well be taking a step backwards in call center authentication. Here’s why.

First, security questions add precious seconds to each call. This drives up labor costs that can increase by tens of thousands of dollars over the course of a year. Second, because we know criminals already have their hands on billions of personal details, PII is not predictive for authenticating callers anymore. Relying on it is trusting information that should not be trusted. It’s as simple as that.

As we continue to read about large data breaches and more records continue to be compromised, Javelin fraud and security analyst, Al Pascual, says KBA should not be used to validate identities. At TRUSTID, we support this argument. To strengthen customer authentication across all customer channels, KBA should be removed from the process. Keeping it in the mix leaves the door open to fraud and other abuses that are unwanted in today’s contact center environment.