Last Updated: 2007-10-11 10:33:46 UTC
by Lenny Zeltser (Version: 4)
A recent question on the GIAC-Alumni mailing list asked about the mechanisms financial institutions use to authenticate customers calling on the phone. I wanted to pose the question to the wider audience of ISC readers, in case we can summarize some of the best practices regarding this challenge. What have you observed? If you set up such a system, what are some of the recommendations you'd make to other financial institutions based on your experience?
Many organizations use "mother's maiden name" as the standard phone password, combined with additional questions about the caller's address, phone numbers, and perhaps the last four digits of the social security number. Unfortunately, such personal details are not difficult for the scammers to obtain. Some organizations assign a phone PIN; in this case, they still need to develop procedures for situations when the caller forgets the PIN.
I recently called my financial institution without specifying the PIN. They asked me to answer a multiple choice quiz of 4 questions. The quiz was based on data from my credit profile, and inquired about transactions or company names from my profile that had nothing to do with the institution I was calling. An common alternative is to ask about recent transactions the customer had with that institution; this works particularly well with accounts that have a high volume of transactions.
I am not sure how I feel about the credit profile-based method of authentication: On the one hand, an impostor would not know those answers without seeing the victim's credit profile. On the other hand, it's not too difficult for an impostor to get the credit profile.
I am also concerned about internal fraud: how could the financial institution's employee misuse the information he or she is using to authenticate the caller? I like the idea of being prompted for recent transactions with the organization. That information has a built-in expiration data (it will not matter much a few months from now); while personal information such as a social security number and date of birth will not expire.
Financial websites are beginning to ask personal questions of an unusual nature, such as "What's your father's uncle's name?" or "What car does your best friend drive?" or "What's your favorite spice to cook with?" It's nice that they are moving beyond the standard "mother's maiden name" question, but now I wonder how long until the customer's details get leaked and someone builds a profile on the customer that includes information not only about his relatives' names, but also about his cooking preferences and his friends' possessions. What an attractive target for scammers such a profile would be!
If you can share with us caller authentication mechanisms that have worked particularly well or badly for you, tell us.
Update 1: ISC readers Eugene and Brian wrote in to remind us that the users don't need to provide real information to questions such as "What's your mother's maiden name." The user can, instead, pick a hard-to-guess password of his or her choice. This will help protect your identity should such information leak out. As always, the challenge with lying is staying consistent in your answers every time they ask the question.
Update 2: Jason wrote in to share his bank's practice of using caller ID as an additional check. If the caller's phone number doesn't match the one on file, the caller needs to provide additional identifying information, such as the amount of last deposit, the answer to a "secret question," the recipient of the recently-written check, and so on. My concern with taking caller ID into account to authenticate the user is the ease with which caller ID can be spoofed via a service such as SpoofCard. Note: Brent pointed out that if the bank uses a WATS line (1-800, 1-888, etc.) number, they are not relying on caller ID, but rather on ANI (Automatic Number Identification). While ANI may be more difficult to spoof than called ID, there are indications that it is still susceptible to spoofing.
Ken shared with us a strategy that involves some out-of-band authentication of the caller, for instance sending email or and SMS message. This could be used as an extra factor when verifying the user's identity. The bank could also call the caller back at the number that is on file. Some banks are looking into such options, as mobile banking continues to gather steam. ISC handler Steve pointed out that in countries with high mobile device penetration, scammers already target such phishing techniques by obtaining a SIM replica that allows them to impersonate the victim.
Gabriel told us about a strategy a phone company uses to comply with CPNI (Customer Proprietary Network Information) rules, which mandate the verification of the caller identity through a secure, non-account related password attached to the caller's account. If the caller cannot provide this password, the company calls the customer back at a home phone number on file for the caller. This has to be a home number; a work number or a mobile number is not sufficient. (Though nowadays VoIP call routing can bypass that last restriction.)
Neal pointed us to an excellent talk on on-line authentication weaknesses, which Brendan O'Connor presented at Defcon 15. Brendan covered several authentication mechanisms that also apply to phone-based authentications. One limitation of authentication systems that pull from a fixed set of multiple-choice questions to validate the user is that the scammer can call multiple times to determine the right answer: such systems often change the wrong answers to multiple choice questions, and the only choice that is always present is the right answer.
Alex told us that some banks are looking into biometrics (voice print) as a mechanism for helping to authenticate the user. I wonder whether the technology to accomplish this is mature enough for this. Also, people have been resistant to biometric authentication, often feeling that it violates their privacy beyond what they consider acceptable. Another ISC reader, John, told us about one company that creates voice verification technology, which his financial institution has been evaluating. According to John, the caller simply repeats a sequence of numbers and the system compares the voiceprint to the one on file with an acceptable accuracy even over mobile phones.
Security Consulting - SAVVIS, Inc.