Why KBA questions aren’t the best practice in online banking

By reducing reliance on the customer to validate identity through data input, institutions are actually reducing the surface area that fraudsters can exploit.

featured image

Knowledge-based authentication (“KBA”) or sometimes referred to as “out of wallet” questions has historically been used in the financial services industry as a key data point in many institutions’ customer identification programs.

In essence, the premise being that an institution may authenticate an individual by challenging them to answer a series of questions generated by “private” historical data on the individual – questions that could not be answered simply by stealing someone’s wallet.

Questions are typically generated from public and private data sources, credit reports, prior financial history and government databases. For example:

  • What was the make and model of your first car?
  • What street did you live on in 2001?
  • Which state was your social security number issued?

However, the efficacy of KBA has been falling over time, both as a result of the greater public availability of once private data and KBA’s susceptibility to fraudulent actors.

Why doesn’t KBA work anymore?

At its most basic level, KBA has been heavily compromised by the availability of data online, both by individuals sharing more of their personal information freely across websites and social media platforms and the series of recent high-profile data security breaches.

Specifically, as our friend Charles Hearn at Alloy found, the availability of once private data in the public realm (driven largely by the prevalence of social media) has meant that KBA can be easily spoofed by simple search engine research.

In addition, more sophisticated fraudsters are able to procure deeper, financial-related data for millions of Americans following the Equifax breach in 2017 and the earlier compromise of KBA databases themselves in 2013.

Better banking solutions to KBA questions

A better way to combat identity theft is to rely more heavily on third party data sources instead of user input. While a fraudster can guess, research or spoof KBA, it’s significantly harder to do the reverse – create synthetic identities within third party data sources.

In fact, by taking information collected from a user, both indirectly inputted (name, DOB, SSN, address, phone number, email etc) and passively gathered (browser type, IP address, linked bank account information) and comparing it to identity information available in the public and private spheres, you can build a more complete picture of someone’s identity.

Consider the following scenario: a customer is signing up for a checking account online from a computer in Ohio but based on a physical address in Illinois and a mailing address in Florida. Their utility bills are paid in Illinois and their browser language is set to Russian. Unless your bank has access to real-time identity check during your online account opening process, it would be nearly impossible to cross-reference all this data in order to identify with a high degree of accuracy if this is a legitimate snow bird Russian-American retiree who lives between Florida and Illinois and happens to be visiting a family member in Ohio when they decide to open a new bank account, or if this is fraudulent activity.

However, if you have the context that this applicant has a long established address and financial history concurrently in Chicago and Florida linked with validation (2FA) of the email address and/or phone number they are using to sign up with, the identity picture becomes far more certain.

By reducing reliance on the customer to validate identity through data input, institutions are actually reducing the surface area which fraudsters can exploit. Coupling this strategy with extensive, real-time, third party cross-referencing is driving significantly better compliance outcomes and significantly reducing fraud loss online.

MANTL partners with Alloy to offer real-time customer identity verification throughout its online account opening software to stop fraud before it happens. On average, our customers automate 92% of BSA/KYC/AML decisions and reduce fraud by 67%.

*A similar article has been previously posted in Alloy’s blog.

Learn how MANTL can help you increase operational efficiencies by automating BSA/KYC/AML decisions, marketing campaigns and deposit operations.

Related Articles