Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Knowledge-based authentication poses privacy issues

Knowledge-based authentication helps catch fraud, but the authentication technology poses customer privacy issues.

Long, frigid winters and tough regulations forbidding utility companies from shutting off customers during the...

cold winter months drove a Midwestern oil company to use knowledge- based authentication (KBA) to root out fraudsters.

The company, which didn't want to reveal its identity, experienced a sudden influx of new customers just before the winter. Once it got a KBA system up and running, call center operators posed a series of multiple choice questions to people seeking new accounts. Those who could answer the questions verifying their identities were set up with service while fraudsters trying to activate delinquent accounts under fake names were quickly rooted out.

"People with large unpaid bills were trying to get their service turned back on for the winter," says Joram Borenstein, senior product marketing manager in RSA's identity and access assurance group; RSA the security division of EMC, provides the authentication service. "While it's tough to deny heat to someone, you can't stay in business if people are trying to defraud the system."

Dynamic knowledge-based authentication, the technology that has given many financial firms a way to verify customers before approving high-risk transactions, is now being used by a broader number of firms from e-commerce websites to hospitals and telecommunications companies.

As the technology hits primetime, it's being used to verify more people and firms using it for the first time quickly learn that some of the questions being returned by KBA systems can be too probing. To eliminate false positives, those behind the software algorithms used to create verification questions are trying to keep it sharp, tapping into an ever expanding number of data sources from credit bureau information to house sale data. Ezzie Schaff thinks social networks are next and that could rouse privacy advocates.

Schaff, vice president of risk management at online jeweler, said he's been very cautious that his company's 16 call center operators don't turn away customers by asking prying questions. Schaff says he's conducted background checks before hiring the operators, who use KBA when handling credit applications. Extensive training is also held to ensure operators know when to ask a question and when a question digs too deep into a customer's privacy.

"With the advent of proxy servers and proxy IPs it is getting easier and easier for people to mask their ID and their location, so we have verify they are who they say they are," Schaff says. "At the same time, we don't want to have upset customers. It's a fine balancing act."

RSA acquired Verid in 2007, a technology that mines databases and uses a proprietary algorithm to come up with verification questions. RSA's Borenstein says the company is expanding its data sources; it recently added data from boat and airplane sales and leasing databases. But he stopped short of saying data from social networks would be mined next.

Social networks themselves don't keep extensive records on account holders, but Twitter, Facebook and LinkedIn work with third-party analytics vendors, such as Omniture, (now part of Adobe Systems) DoubleClick., and Google Analytics -- firms that use browser cookies, which could be used to build a unique profile on a person.

A study released last summer by researchers at Worcester Polytechnic Institute (WPI) and AT&T Labs found social networks inadvertently leaking user identities. The research worries privacy advocates who say the account numbers could be coupled with browsing data and retained in databases. Peter Eckersley, a staff technologist at the Electronic Frontier Foundation, says the study is an example of the erosion of privacy and that most people don't even know the extent to which their Internet activity is being tracked.

Whether KBA technologies begin to filter in a person's Internet activity by tapping into the data held by third-party analytics firms, or somehow mining an individual's Internet presence on Twitter, Facebook and other websites, is yet to be seen. But RSA competitor TriCipher also sees the future of authentication getting more personal. Vatsal Sonecha, TriCipher vice president of business development and product management, says library or video rental records could offer valuable data to help verify an individual's identity. However, Sonecha says he has not seen "large-scale implementations go down that path."

As knowledge-based questions get more personal, Mark Diodati, a senior analyst at Burton Group, says merchants and other users of the technology must use private data responsibly or risk facing a loss of trust with their customers. As Diodati puts it, call center operators don't have to use probing questions that may be too sensitive to the customer;they can tap the KBA system for less sensitive questions.

Robert Westervelt is the news editor of Send comments on this article to

Article 4 of 7

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All