Let’s hope so. For awhile this blog has relayed the dangers of using shared secret questions as a means of authenticating customers. And based on some of the articles from those who were able to review the preliminary draft of the long awaited FFIEC updated Guidance on Authentication in an Internet Banking Environment, it seems the government might also share our concerns.
In Bankinfosecurity.com’s first look article, they report that there is a section in the preliminary draft of the guidelines related to challenge questions which addresses a need for more secure questions than items like “What’s your mother’s maiden name” etc.
The need for stronger challenge questions is also noted, as yet another layer institutions can use to authenticate and identify a device and a user. Too much basic information – birthdates, birthplaces, family names – is already available via social networks, so challenge questions built around those answers are no longer deemed effective. Instead, the draft guidance recommends more sophisticated queries such as asking the user to name or list previously owned vehicles or registered domain names – questions an imposter would find difficult to answer.
IDology offers a sophisticated out-of-wallet solution that asks consumers questions based on their personal history (e.g. places you’ve lived, cars you’ve owned, people you know). The industry push back for using out-of-wallet questions on transactions where shared secrets are typically used (e.g. password resets or account changes) is that it isn’t cost effective. This is because these type of dynamic knowledge based authentication (KBA) questions are generated by accessing data provided from a third party data provider, not from information the consumer provides when signing up for account.
This concern might be contributing to banks anxiously awaiting the final guidance updates. It’s also one of several reasons we launched our ExpectID Customer Based Authentication product, which allows a bank to create custom out-of-wallet questions based on their own internal data, thus eliminating the data costs associated with using out-of-wallet questions.
It’s been since 1995 since the guidelines were issued. And while an update is expected to be released in the coming months, it’s those that aren’t waiting for guidelines to dictate security that are poised to beat fraud. As Aite analyst Julie Conroy McNelley wrote in her blog earlier this year:
the bad actors creating the malware aren’t waiting for new FFIEC guidance to come out; on the contrary, they are working every day to devise new ways to compromise accounts and steal money. Businesses and FIs should not wait to take action.