When Roger Thompson, chief research officer of antivirus vendor AVG Technologies Inc., had his credit card declined while on a business trip in London, he was understandably irritated. His account had been flagged and suspended, he learned, due to unusual charges.
But the situation, at first an annoyance, quickly piqued his interest once the bank's call center operator posed a series of verification questions that only he could answer. Given a short list of names, he was asked to identify who he knew. To Thompson, the obvious answer was his daughter-in-law, maiden name and all.
"I was astonished they could make a connection between her and me," Thompson said. "She hasn't used her maiden name in eight years. It really was strange to me."
Knowledge-based authentication (KBA) questions have been used primarily by financial firms to verify customers in high-value transactions for nearly a decade. But today use of KBA has expanded. Many websites use a form of KBA in the registration process. When creating an account, users are asked to choose security questions that could be used as an additional authentication measure when changing account settings or resetting a password. Some enterprises are using KBA features in authentication systems as part of an additional verification step when resetting passwords.
More sophisticated KBA systems -- sold by EMC Corp.'s RSA Security division, TriCipher Inc., and other security vendors -- are being deployed by an increasing number of businesses trying to cut down on fraud. The KBA systems access a mixture of publicly available databases, such as those maintained by major credit bureaus. They use sophisticated algorithms to develop verification questions -- questions that technically could only be answered by the person conducting the transaction.
Ezzie Schaff, vice president of risk management at online jeweler Ice.com, sees the technology eventually mining an ever expanding amount of data. But while KBA is an important tool, he said it "needs to be handled delicately so no one has any issues."
Shaff's 16 call center agents use RSA's KBA software to verify customers enrolled in the company's credit program. Schaff said he's conducted extensive background checks and training to avoid irritating customers.
"It's been instrumental in cutting down fraud attempts, but at the same time you don't want to make your customers feel uneasy," Schaff said. "Our business has been growing leaps and bounds and with more and more orders there have been more sophisticated fraudsters."
The RSA KBA software taps into publicly available databases using a technology EMC acquired in 2007 called Verid. It uses sophisticated data mining algorithms to develop probing questions. Verid's competitor, Atlanta-based Idology Inc., provides similar access to mine semi-public databases for KBA and age-verification services. Idology partners with TriCipher's myOneLogin SaaS-based enterprise identity service.
Those behind KBA technology are constantly trying to boost its effectiveness, and that means call center operators can get questions they're required to pose to customers, putting them in potentially awkward situations.
"Many companies don't want to ask their customer about their ex-husband, so there's always a balancing act," said Mark Diodati, a senior analyst who researches identity and authentication issues for Midvale, Utah-based Burton Group. "But they have a choice to not use those kinds of questions."
Diodati said KBA can be useful for layered authentication when passwords are the primary authentication method, but stronger authentication mechanisms exist. Sometimes the questions are too easy and can be guessed.
Boosting KBA's effectiveness may also result in tapping into a wider number of databases, including those maintained by social networks and third-party marketing and Web analytics firms, which use cookie-tracking technology to learn about user Internet behavior.
Vatsal Sonecha, vice president of business development and product management at TriCipher, said some private databases could be attractive in the future because they offer fresh data on individuals that may be out of the hands of potential fraudsters. Whether security vendors will find the need to stir privacy concerns by turning to new data sources, he said, is a different story.
"There's multiple amounts of privately held data, such as library records or video rental records, but we have not seen any large-scale implementations go down this path," Sonecha said. "Data from location-based services could be leveraged for authentication quite nicely, but it starts getting into an area of responsible use of private data."
RSA is constantly adding new data sources, said Joram Borenstein, senior product marketing manager in RSA's identity and access assurance group. The most recently added data sources for data mining were boat and airplane sales and leasing databases, Borenstein said, adding that RSA's 220 KBA customers want an "intelligent questioning system and have no visibility and no interest where the data originates."
Businesses are also turning to KBA questions as an additional authentication procedure, though many are using a simpler form of KBA. With a team of 20 software developers and managers spread out across the United States, the Ferrilli Information Group, which provides business applications for universities and colleges, has new employees set up KBA questions for use when logging into the company's network.
Robert T. Ferrilli, the company's president and CEO, said using KBA helped add a layer of security to ensure the wrong people don't access his company's proprietary data or access sensitive student information.
"Whenever they authenticate from a PC without a certificate, the system will ask them knowledge-based questions in addition to their regular credentials," Ferrilli said.
With the expanding use of KBA, moving beyond verification at financial firms and into the healthcare and insurance industries and ecommerce sites, enterprises will need to strike the right balance to avoid prying questions that ruffle the feathers of privacy advocates and could potentially turn away customers. For Thompson, the credit card experience made him think of his own privacy and the greater issue of the potential for cybercriminals to hack into databases for their own nefarious purposes.
"It just proved to me that the privacy genie is out of the bottle," Thompson said. "I'm not sure anything can be done at this point."