As if we needed more examples of why single factor of authentication doesn’t protect banks against fraud, the Wells Fargo fake accounts scandal highlights the threats financial institutions face both externally and from within, each day.
According to the article, “Wells Fargo’s Failure to Authenticate Led to Sham Accounts,” had the banking giant simply complied with the Federal Financial Institutions Examination Council’s guidelines for multi-factor authentication across all customer channels, it may have avoided the unethical employee conduct and the fallout it has experienced since the fake accounts were reported in September.
This reinforces the importance of understanding what it means to use separate factors to authenticate customers across all channels. For example, using three pieces of personal information like someone’s date of birth, mother’s maiden name and Social Security number are not separate factors, but three credentials of the single, knowledge-based factor. In other words, a bank can ask a customer a dozen or more questions, but this doesn’t mean it has captured 12 different factors of authentication. In fact, it’s actually captured only one — the “something the user knows” factor.
To comply with the FFIEC’s guidelines of true multi-factor authentication, financial institutions need to cover at least two of three different ways to verify a customer. Along with the 1) “something the user knows” category, which includes personal data, passwords and PINs, there’s 2) “something the user has,” which can be an ATM card, telephone or token, and 3) “something the user is,” which includes biometric identifiers like a voiceprint or fingerprint. These are the FFIEC’s recommended three methods of verification.
If a bank’s authentication process falls short of using at least two of these factors, it creates a greater risk of fraud across it’s entire customer environment. This is why it is important to employ a cross examination of authentication methodologies for all banking transactions.
Requiring the customer’s consent with each interaction, along with multiple types of credentials to validate who they are, can help banks detect outside threats or fraudulent behavior that’s taking place within a system, as in the case of Wells Fargo. And doing so through automated authentication tools like the TRUSTID® Physical Caller Authentication solution allows banks to identify activities earlier in the process, and without the customer’s knowledge, to create a more satisfying and secure banking experience.