Minimize Fraud Losses

Round 1 – Pick your corner

---by Monica Bellflower

There seems to be two viewpoints in the market today about knowledge based authentication: one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep.

One of the biggest challenges in discussing knowledge based authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time.

Dynamic knowledge based authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during knowledge based authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience.

The two are as different as night and day.  Do those who consider “secret questions” as knowledge based authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for knowledge based authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true knowledge based authentication.

Knowledge based authentication can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say knowledge based authentication we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of knowledge based authentication does work.  As part of a risk management strategy, knowledge based authentication has a place within the authentication framework as a component of risk based authentication… and risk based authentication is what it is really all about.

--by Matt Ehrlich

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two:

1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established.

2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags.

3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person.

Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. 

And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.

-- by Keir Breitenfeld
 
In my last blog posting, I presented the foundational elements that enable risk-based authentication.  These include data, detailed and granular results, analytics and decisioning.  The inherent value of risk-based authentication can be summarized as delivering an holistic assessment of a consumer and/or transaction with the end goal of applying the right authentication and decisioning treatment at the right time.  The opportunity, especially, to minimize fraud losses using fraud analytics as part of your assessment is significant.

What are some residual values of risk-based authentication? 

1. Minimized fraud losses involves the use of fraud analytics, and a more comprehensive view of a consumer identity (the good and the bad), in combination with consistent decisioning over time.  This analysis will outperform simple binary rules and more subjective decisioning.

2. Improved consumer experience.  By applying the right authentication and  treatment at the right time, consumers are subjected to processes that are proportional to the risk associated with their identity profile.  This means that lower-risk consumers are less likely to be put through more arduous courses of action, preserving a streamlined and often purely “behind the scenes” authentication process for the majority of consumers and potential consumers.  In other words, you are saving the pain for the bad guys -- and that can be a good thing.

3. Operational efficiencies can be successful with the implementation of a well-designed program. Much of the decisioning can be done without human intervention and subjective contemplation.  Use of score-driven policies affords businesses the opportunity to use automated authentication processes for the majority of their applicants or account management cases.  Fewer human resources will be required which usually means lower costs.  Or, it can mean the human resources you possess are more appropriately focused on the applications or transactions that warrant such attention.

4. Measurable performance is critical because understanding the past and current performance of risk-based authentication policies allows for the adjustment over time of such policies.  These adjustments can be made based on evolving fraud risks, resource constraints, approval rate pressures, and compliance requirements, just to name a few.  Given its importance, Experian recommends performance monitoring for our clients using our authentication products. 

In my next posting, I’ll discuss some best practices associated with implementing and managing a risk-based authentication program.