When it comes to stopping phone fraud, knowledge-based authentication (KBA) is sort of like placing a stop sign in the middle of the Autobahn. Sure, social engineers will see it, but there’s no way it’s the end of the road for them.
The article, “The challenge to protect your money,” defines stronger customer authentication as stacking additional security layers to strengthen challenge questions. While extra defenses may impede the criminal process, we know fraudsters are smarter and more resilient than that. Once they have an opportunity to “go to work” (aka answer challenge questions), it’s game on. And from what I’ve seen, no matter how many layers of defense you pile on to interrogate callers, well-prepared criminals sooner or later find a way around knowledge-based defenses.
Adding case sensitivity to online challenge questions may help strengthen answers to online questions, but this does little to help call centers determine the authenticity of customers over the phone.
Today, relying on sensitive customer information over the telephone channel to determine risk is inherently flawed because all questions can be answered. If a thief has done his or her homework, which most have, they can defeat this process by walking straight through the front door without being detected. How so? The answer shouldn’t surprise you.
The Internet has become the underground community’s biggest asset for data gathering; a treasure trove of personal information, if you will. Simply tapping into social communities can give fraudsters the data they need to create customer profiles and social engineering scams that result in account takeovers.
In my world, it really doesn’t matter how weak or strong a challenge question is, giving social engineers the opportunity to correctly answer security questions makes KBA vulnerable to fraud. To put it another way, talking to callers who have not been validated is much like leaving your contact center door open to fraud, and once they’ve got you on the phone, they have the upper hand.
When it comes to caller authentication, defending your bank from fraudulent activity shouldn’t be left up to humans to decide who’s good and who’s bad. Most of today’s security expert agree that people are the weakest link in fraud defense. To strengthen your defenses and improve your overall efficiency, banks need to work smarter, not harder. Instead of deploying more non-predictive distractions that negatively impact the banking experience, businesses should be implementing automated authentication services that proactively identify callers without their knowledge. These tools are stronger, more accurate, and can speed up the customer identification process.
Authentication solutions like the TRUSTID® Physical Caller Authentication don’t give callers the chance to speak to telephone agents without first being authenticated. By providing real-time caller identification just seconds after the phone starts ringing, the call is determined good or risky before it’s picked up or routed to an operator. If the call is recognized as spoofed, it never reaches an agent. No exchange takes place between the caller and an agent. Essentially, social engineers are left at your doorstep with no way in.
And the best part is, good customers reap the benefits. By eliminating fraudulent calls from the telephone system, your customers’ private accounts are better protected. On the operational side, saving significant time and money not dealing with confirmed spoofed and high-risk calls allows phone reps to pick up more good calls faster, which helps improve your overall telephone banking experience.