After almost 6 months the long anticipated FFIEC guidelines update has been issued. And as suspected, shared secret questions (What’s your mother’s maiden name? What’s your favorite food?) are not enough anymore. Banks should deploy out-of-wallet technologies (aka dynamic knowledge based authentication) which are more stronger and more effective. Here is the section to challenge questions from the Unabridged Release from the U.S. Banking Regulatory Agencies:
Many institutions use challenge questions as a backup in the event that the primary logon authentication technique becomes inoperable or presents an unexpected characteristic. The provision of correct responses to challenge questions can also be used to re-authenticate the customer or verify a specific transaction subsequent to the initial logon. Similar to device identification, challenge questions can be implemented in a variety of ways that impact their effectiveness as an authentication tool. In its basic form, the user is presented with one or more simple questions from a list that was first presented to the customer when they originally enrolled in the online banking system. These questions can often be easily answered by an impostor who knows the customer or has used an Internet search engine to get information about the customer [e.g., mother’s maiden name, high school the customer graduated from, year of graduation from college, etc.]. In view of the amount of information about people that is readily available on the Internet and the information that individuals themselves make available on social networking websites, institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique.
Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as “out of wallet” questions, that do not rely on information that is often publicly available. They are much more difficult for an impostor to answer correctly. Sophisticated challenge question systems usually require that the customer correctly answer more than one question and often include a “red herring” question that is designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical. The Agencies have also found that the number of challenge questions employed has a significant impact on the effectiveness of this control. Solutions that use multiple challenge questions, without exposing all the questions in one session, are more effective. Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program.
We’ve long discussed the security and effectiveness of shared secrets v dynamic KBA. Ultimately the problems with shared secrets led us to launch a new product earlier this year that is intended to allow banks to use out-of-wallet questions using their own proprietary data (we already have a solution that is based on external data sources).
With the deadline just six months away, and many other factors to consider beyond challenge questions, one can probably already smell coffee brewing to help fuel many Bank’s IT departments. Thankfully with all of IDology’s dynamic KBA solutions (ExpectID IQ or ExpectID Customer Based Authentication) the hardest thing about implementing them is just making the decision to change.