In Caller-ID Spoofing we discussed how difficult it is to verify a caller. Why does that matter? Because banks are losing millions of dollars in fraudulent telephony transactions every day from callers impersonating legitimate callers.
Fraudsters are routinely spoofing caller-id and other call metadata. The problem is so common that when you make a call to transfer funds from your account, the call agent at the other end does not even rely on the Caller-ID to authenticate you. Instead, the agent is going to ask you several questions to establish it is really you on the call. This is called knowledge-based authentication or KBA.
This can work several ways. For some organizations, the questions are answers you have previously provided. In other words, you have previously supplied your mother’s maiden name and you are asked to repeat it. Unfortunately, such questions are not very effective for secure authentication. Researchers published the results of a study almost five years ago demonstrating the problems with such security questions. Cyber criminals can either guess answers to questions easily or worse, they know what we know anyway.
More recently, third parties known as data aggregators are selling information about you (old address, year an account was opened, mortgage amount etc.) back to the banks. Such information is used to craft questions for which answers are hard to guess or know if you are not the correct user. Unfortunately, this has created a new set of problems. First, you are more likely to be unable to recall the information required to answer the questions– in fact Avivah Litan at Gartner reported that Gartner clients estimated failure rates for this type of KBA at 10%-15% for legitimate customers. Worse, the data aggregators, which comprise a very tempting target, have been compromised, allowing attackers to gain even more information to use to social engineer their way into your accounts.
Even when KBA works and bad guys are caught not knowing the answer, they frequently are allowed to proceed. Why? Because they skillfully argue that they are legitimate and the contact center representative, with customer service being the top concern, allows the transaction to complete. Clearly, we need a better solution than KBA to secure transactions over the telephony channel.
Next we’ll discuss how we address the weaknesses of KBA.