Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: How to authenticate customers on the phone? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How to authenticate customers on the phone?

A recent question on the GIAC-Alumni mailing list asked about the mechanisms financial institutions use to authenticate customers calling on the phone. I wanted to pose the question to the wider audience of ISC readers, in case we can summarize some of the best practices regarding this challenge. What have you observed? If you set up such a system, what are some of the recommendations you'd make to other financial instututions based on your experience?

Many organizations use "mother's maiden name" as the standard phone password, combined with additional questions about the caller's address, phone numbers, and perhaps the last four digits of the social security number.  Unfortunately, such personal details are not difficult for the scammers to obtain. Some organizations assign a phone PIN; in this case, they still need to develop procedures for situations when the caller forgets the PIN.

I recently called my financial institution without specifying the PIN. They asked me to answer a multiple choice quiz of 4 questions. The quiz was based on data from my credit profile, and inquired about transactions or company names from my profile that had nothing to do with the institution I was calling. An common alternative is to ask about recent transactions the customer had with that institution; this works particularly well with accounts that have a high volume of transactions.

I am not sure how I feel about the credit profile-based method of authentication: On the one hand, an impostor would not know those answers without seeing the victim's credit profile. On the other hand, it's not too difficult for an impostor to get the credit profile.

I am also concerned about internal fraud: how could the financial institution's employee misuse the information he or she is using to authenticate the caller? I like the idea of being prompted for recent transactions with the organization. That information has a built-in expiration data (it will not matter much a few months from now); while personal information such as a social security number and date of birth will not expire.

Financial websites are beginning to ask personal questions of an unusual nature, such as "What's your father's uncle's name?" or "What car does your best friend drive?" or "What's your favorite spice to cook with?" It's nice that they are moving beyond the standard "mother's maiden name" question, but now I wonder how long until the customer's details get leaked and someone builds a profile on the customer that includes information not only about his relatives' names, but also about his cooking preferences and his friends' possessions. What an attractive target for scammers such a profile would be!

If you can share with us caller authentication mechanisms that have worked particularly well or badly for you, tell us.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.


216 Posts
Oct 10th 2007

Sign Up for Free or Log In to start participating in the conversation!