A New Low for Knowledge-Based Authentication?03.05.2018
In preparation for some upcoming research here at Javelin, I had the pleasure of walking through a handful of IDV processes, with ample reminders as to why we as an industry desperately need to step up our game. The low point, by far, was when I was asked to answer this question as part of a dynamic knowledge-based authentication quiz based (presumably) on my credit report:
As I scoured Google maps to find the correct answer (first red flag), I had plenty of time to consider the merits and flaws of this approach. Even by knowledge-based authentication standards, this question fails on two levels:
- First, it’s trivial for fraudsters to correctly answer the question. Obviously, I (or a fraudster impersonating me) had just supplied my home address as part of the previous screen, so identifying the nearest cross street is simply a matter of popping over to Google maps and plugging the home address and each of the streets in the prompt. This does not require purchasing stolen data or sophisticated social engineering, or even any computer skills more robust than the ability to operate a browser and conduct a Google search.
- Second, it’s questionable whether the legitimate user will know the information offhand. There is a certain sense in which I like the concept of this question; the legitimate owner of the identity is likely to have spent plenty of time navigating around their home address, so they should quickly be able to identify a nearby cross street, right? That’s probably true if the street selected is a decent thoroughfare, but in this case the correct answer was a relatively obscure cross street several blocks deeper into a residential subdivision I had never had cause to visit – hence my trip to Google.
Regardless of how easily the user is able to access or remember the answer to the question, the user should have some confidence that they can get that information more easily than a fraudster could. In this case, knowing that I was using the same methodology that a fraudster would use to find the answer to this question instilled zero confidence in the security of the system.
More fundamentally, financial services companies need to move away from knowledge-based authentication (dynamic or static) when verifying users’ identities. There are plenty of promising alternatives that can facilitate both a positive user experience and give headaches to fraudsters, which we explore in our 2017 Identity Proofing Platform Scorecard:
- Document scanning. Presence of a valid identification document that passes scrutiny significantly reduces the risk of an applicant with valid PII being a fraudster who has obtained that information through a breach or social engineering. These solutions can be used to prefill information so as to lower the burden on customers to do the same.
- Device reputation/mobile network operator data. Confirming that the device is associated with positive activity and that the mobile phone has reasonable tenure and is associated with the same individual both provides confirmation of PII provided earlier in the application process and offers more robust checks against script-based attacks attempting to open large numbers of accounts.
- User behavior analytics/behaviometrics. Looking for unique patterns of interaction with input devices, e.g. keyboard, mouse, or touchscreen, can assess everything from suspicious velocity — attempting multiple applications within minutes — to aberrant navigation patterns within an online portal.
The identity proofing model for financial services should be a layered approach, using multiple technologies, none of which imposes a necessarily insuperable barrier to fraudsters, but where each solution addresses the weaknesses of other tools in use. Financial service providers need to recognize that ensuring a positive customer experience doesn’t just mean providing an easy IDV process, it also means offering tangible assurance of security. It’s time to do away with KBA.
Kyle Marchini is a senior analyst in the fraud and security practice of Javelin Strategy and Research.