Authenticate, Don’t Irritate: Fraud Prevention Requires a Balancing Act

Don't get too personal when requiring customers to verify their identity.

March 12, 2013

We’ve all bristled when being asked for just a bit too much personal information, whether it’s a retailer requesting a phone number when an item is returned—you didn’t need my number when I paid you—or when asked (most anywhere) for a Social Security number.

Verifying, or authenticating, identity is the cornerstone of fraud prevention. It is also an area of great sensitivity, as people are understandably guarded about sharing their personal information.

Showing a photo ID when cashing a check or boarding a plane is generally accepted, while sharing the names of your children on a Website is crosses the line.

The challenge for organizations aiming to reduce fraud in the age of identity theft is to understand what crosses the line between fraud prevention and customer alienation—a line that is constantly shifting.

Few businesses find themselves more squarely in the middle of this challenge than the financial services industry. Much of the industry’s success happens behind the scenes; businesses don’t readily report every instance in which a nefarious attempt to breach customer information has been thwarted.

It is more likely that a customer’s only exposure to fraud prevention occur when he or she is inconvenienced by it.

Identity verification in the digital age

Authentication measures have advanced as more transactions—as well as fraud attempts—are conducted electronically. In addition to simple password authentication with user names and personal identification numbers, there exist increasingly secure methods for identity verification. These range from layered and multi-factor authentication (a password as well as a challenge question or token number) to sophisticated biometric authentication (fingerprints or iris scans).

Of course, the more robust means of identity verification run the risk of crossing that sensitivity line, intruding on a sense of privacy. Few customers would willingly submit a DNA sample before doing their online holiday shopping.

Additional validation techniques include “device identification,” which recognizes the source device used to conduct an online transaction. The goal of this practice is to assign attributes to a digital device and to connect that identity to an individual.

Collectively, these systems fall under the broader category of identity management, which refers to “the combination of technical systems, rules, and procedures that define the ownership, utilization, and safeguarding of personal identity information,” per the National Science and Technology Council’s task force report on the subject.

For the programmers, developers, coders, and cryptologists tasked with protecting information, there are numerous governing bodies dedicated to creating, testing, and improving identity validation standards. Among these coalitions of government and private stakeholders is the non-profit Kantara Initiative.

A related effort is being made through the U.S. Government’s CIO Council, which has formed the Federal Identity Credential Access Management (FICAM) group. Participants include the Department of Homeland Security, the National Institute of Standards and Technology, and the Drug Enforcement Administration.

These organizations are working cooperatively to address challenges and establish frameworks for cyber-security and remote authentication.

One deliverable of the FICAM and Kantara efforts has been the establishment of assurance level measures, which describe the degree to which a relying party in an electronic transaction can be confident of the legitimacy of the identity information being presented. This scale gives organizations specific degrees of confidence that their identity protection measures are safeguarding user data.

Some of these tested tools are in place today. For example, the Social Security Agency (SSA) is deploying identity proofing as part of the authentication protection for individuals accessing their Social Security earnings and benefit information through the agency's online statement. An identification recognition tool, Precise ID from Experian, gives the SSA an additional layer of security.

The Precise ID platform, which performs predictive risk assessments through a combination of identity verification methods, has achieved FICAM recognition at Assurance Level 3. That connotes “high” confidence in the validity of the information, the second-highest rung on the scale.

Minimizing customer friction

Notably, data and analytics experts understand that once adequate security measures are in place, the authentication systems also must weigh the impact on the users accessing data.

This gets to the heart of what businesses and government agencies strive to accomplish—ensuring security, while at the same time offering “well intentioned” customers unfettered access.

The key to approaching this delicate balance is to look at authentication from the customer’s viewpoint. A bank may well understand that a two-factor authentication system protects its customers as much as it does the financial institution, but the client may not know why you’re asking for the name of her high school mascot.

It is imperative that customers fully understand why the information is needed, and how it protects their interests.

Explain why information is needed

To better understand the types of authentication a customer is likely to accept before being put off by the process, Experian has convened a series of focus groups asking participants to report which security methods they found acceptable. The results were a definitive “it depends.”

Consumers agree that requests for proper authentication are becoming ubiquitous, whether conducting transactions in person, over the telephone, or over the Internet. For the most part, consumers recognize that providing information that confirms their identity is a necessary part of preventing fraud and abuse.

They do, however, expect that any requests for personal data be reasonable.

The focus study found demographic differences with respondents’ acceptance of authentication measures. Midwestern consumers are more receptive toward a broad range of authentication questions, while consumers from larger metropolitan areas such as New York were more skeptical.

Older consumers, who usually tend to be less familiar with technology in general, were found to be equally accepting of verification questions compared to their younger counterparts. In fact, older (perhaps wiser) respondents were much more open to authentication when it was clear to them that the process helps protect their financial, Social Security, or health-care information.

The following are actual respondent comments, which offer a good sense of the state of consumer perceptions regarding acceptance of authorization questions:

  • “Some personal information is OK because it’s not private anyway—the default on Facebook has your high school and university.”
  • “Don’t ask questions about my family or relationships.”
  • “Don’t get personal, like the number of bedrooms in my house. That’s none of your business.”
  • “Questions about my children are off-limits.”
  • “Ask me personal questions to determine who I am, but don’t get too personal about things you shouldn’t know, or wouldn’t know from public records—unless you explain to me how you know it!”

Authentication will become more prevalent

Great effort is being spent in the battle against identity theft and fraud. Yet less attention is paid to how security processes are perceived by customers.

While protecting clients is paramount, good customer service shouldn’t be sacrificed in the process.

As transactions of all types move online, there is a need for increasingly powerful security measures. For businesses and government agencies, these tools are critical to protecting client information.

But for the customer, these measures can be seen as unnecessary and intrusive obstacles to their online commerce.

Authentication measures are no longer only about preventing identity theft, but also about protecting data of all sorts. It is now common to be required to prove identity to access information, as well as a legitimate reason to do so. However, organizations should be mindful of their client’s sensitivity regarding personal data.

As authentication becomes more prevalent in the workplace as well as at public buildings such as schools or hospitals, combined with the increase in digital commerce of all types, there will be an increased familiarity with requisite safeguards.

With this increased awareness, consumers will accept a reasonable degree of intrusion, provided that they clearly understand that the requested information is being used expressly to protect their best interests.

KEIR BREITENFELD is senior director of fraud and identity solutions for Experian Decision Analytics.