Out Of Wallet

Round 1 – Pick your corner

---by Monica Bellflower

There seems to be two viewpoints in the market today about knowledge based authentication: one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep.

One of the biggest challenges in discussing knowledge based authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time.

Dynamic knowledge based authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during knowledge based authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience.

The two are as different as night and day.  Do those who consider “secret questions” as knowledge based authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for knowledge based authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true knowledge based authentication.

Knowledge based authentication can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say knowledge based authentication we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of knowledge based authentication does work.  As part of a risk management strategy, knowledge based authentication has a place within the authentication framework as a component of risk based authentication… and risk based authentication is what it is really all about.

-- By Ken Pruett

Earlier this week I blogged about some of the other types of frauds that impact our customers such as “never pay” and “bust out” fraud. Today I want to touch a bit on some of the third party fraud scenarios that are often top of mind with our customers: identity theft; synthetic identities; and account takeover.  

Identity Theft
Identity theft usually occurs during the acquisition stage of the customer life cycle. Simply put, identity theft is the use of stolen identity information to fraudulently open up a new account.  These accounts do not have to be just credit card related. For example, there are instances of people using others identities to open up wireless phone and utilities accounts 

Recent fraud trends show this type of fraud is on the rise again after a decrease over the past several years.  A recent Experian study found that people who have better credit scores are more likely to have their identity stolen than those with very poor credit scores. It does seem logical that fraudsters would likely opt to steal an identity from someone with higher credit limits and available purchasing power.  This type of fraud gets the majority of media attention because it is the consumer who is often the victim (as opposed to a major corporation). 

Fraud changes over time and recent findings show that looking at data from a historical perspective is a good way to help prevent identity theft.  For example, if you see a phone number being used by multiple parties, this could be an indicator of a fraud ring in action.  Using these types of data elements can make your fraud models much more predictive and reduce your fraud referral rates. 

Synthetic Identities
Synthetic Identities are another acquisition fraud problem.  It is similar to identity theft, but the information used is fictitious in nature.  The fraud perpetrator may be taking pieces of information from a variety of parties to create a new identity.  Trade lines may be purchased from companies who act as middle men between good consumers with good credit and perpetrators who creating new identities.   This strategy allows the fraud perpetrator to quickly create a fictitious identity that looks like a real person with an active and good credit history. 

Most of the trade lines will be for authorized users only.  The perpetrator opens up a variety of accounts in a short period of time using the trade lines. When creditors try to collect, they can’t find the account owners because they never existed.  As Heather Grover mentioned in her blog, this fraud has leveled off in some areas and even decreased in others, but is probably still worth keeping an eye on.  One concern on which to focus especially is that these identities are sometimes used for bust out fraud. 

The best approach to predicting this type of fraud is using strong fraud models that incorporate a variety of non-credit and credit variables in the model development process.  These models look beyond the basic validation and verification of identity elements (such as name, address, and social security number), by leveraging additional attributes associated with a holistic identity -- such as inconsistent use of those identity elements.

Account Takeover
Another type of fraud that occurs during the account management period of the customer life cycle is account takeover fraud.  This type of fraud occurs when an individual uses a variety of methods to take over an account of another individual. This may be accomplished by changing online passwords, changing an address or even adding themselves as an authorized user to a credit card.  

Some customers have tools in place to try to prevent this, but social networking sites are making it easier to obtain personal information for many consumers.  For example, a person may have been asked to provide the answer to a challenge question such as the name of their high school as a means to properly identify them before gaining access to a banking account.  Today, this piece of information is often readily available on social networking sites making it easier for the fraud perpetrators to defeat these types of tools. 

It may be more useful to use out of wallet, or knowledge-based authentication and challenge tools that dynamically generate questions based on credit or public record data to avoid this type of fraud. 

 I’ve talked (sorry, blogged) previously about taking a risk-based approach to reconciling initial Red Flag Rule conditions in your applications, transactions, or accounts.  In short, that risk-based approach incorporates a more holistic view of a consumer in determining overall risk associated with that identity.  This risk can be assessed via an authentication score, alternate data sources and/or verification results.  I also want to point out the potential value of knowledge-based authentication (a.k.a. out-of-wallet questions) in providing an extra level of confidence in progressing a consumer transaction or application in light of an initially detected Red Flag condition.

In Experian’s Fraud and Identity Solutions business, we have some clients who are effectively embedding the use of knowledge-based authentication into their overall Red Flags Identity Theft Prevention Program.  In doing so, they are able to identify the majority of higher risk conditions and transactions and positively authenticate those initiating consumers via a series of interactive questions designed to be more easily answered by a legitimate individual -- and more difficult for a fraudster.  Using knowledge-based authentication can provide the following values to your overall process:

1. Consistency: Utilizing a hosted and standard process can reduce potential subjectivity in decisioning.  Subjectivity is not a friend to examiners or to your bottom line.

2. Measurability: Question performance and reporting allows for ongoing monitoring and optimization of decisioning strategies.  Plus, examiners will appreciate the metrics.

3. Customer Experience: This is a buzzword these days for sure.  Better to place a customer through a handful of interactive questions, than to ask them to fax in documentation --or to take part in a face-to-face authentication.

4. Cost: See the three values above…Plus, a typical knowledge-based authentication session may well be more cost effective from an FTE/manual review perspective.

Now, keep in mind that the use of knowledge-based authentication is certainly a process that should be approved by your internal compliance and legal teams for use in your Red Flags Identity Theft Prevention Program.  That said, with sound decisioning strategies based on authentication question performance in combination with overall authentication results and scores, you can be well-positioned to positively progress the vast majority of consumers into profitable accounts and transactions without incurring undue costs.