Knowledge Based Authentication (KBA) best practices, Part 3

Published: December 14, 2009 by Andrew Gulledge

–by Andrew Gulledge

General configuration issues

Question selection– In addition to choosing questions that generally have a high percentage correct and fraud separation, consider any questions that would clearly not be a fit to your consumer population. Don’t get too trigger-happy, however, or you’ll have a spike in your “failure to generate questions” rate.

Number of questions– Many people use three or four out-of-wallet questions in a Knowledge Based Authentication session, but some use more or less than that, based on their business needs. In general, more questions will provide a stricter authentication session, but might detract from the customer experience. They may also create longer handling times in a call center environment. Furthermore, it is harder to generate a lot of questions for some consumers, including thin-file types. Fewer Knowledge Based Authentication questions can be less invasive for the consumer, but limits the fraud detection value of the KBA process.

Multiple choice– One advantage of this answer format is that it relies on recognition memory rather than recall memory, which is easier for the consumer. Another advantage is that it generally prevents complications associated with minor numerical errors, typos, date formatting errors and text scrubbing requirements. A disadvantage of multiple-choice, however, is that it can make educated guessing (and potentially gaming) easier for fraudsters.

Fill in the blank– This is a good fit for some KBA questions, but less so with others. A simple numeric answer works well with fill in the blank (some small variance can be allowed where appropriate), but longer text strings can present complications. While undoubtedly difficult for a fraudster to guess, for example, most consumers would not know the full, official and (correct spelling) of the nameto which they pay their monthly autopayment. Numeric fill in the blank questions are also good candidates for KBA in an IVR environment, where consumers can use their phone’s keypad to enter the answers.

Related Posts

Learn what a TOAD attack is and effective measures you can take to safeguard your organization. Read more!

Published: June 6, 2024 by Alex Lvoff

Understanding and implementing robust chargeback fraud prevention measures is critical to protecting your organization.

Published: May 21, 2024 by Julie Lee

The world of finance can be a dangerous place, where cunning schemes lurk in the shadows, ready to pounce...

Published: May 15, 2024 by Alex Lvoff