Verifying Identity: From One Foolish Way to Another
posted by Daniel Solove
For quite some time, banks and financial institutions have been using people’s Social Security Numbers (SSNs) to verify their identities. Suppose you want to access your bank account to check your balance, change addresses, or close out the account. You call the bank, but how does the bank know it’s really you? For a while, banks were asking you for your SSN. Your SSN was used akin to a password. If you knew this “secret” number, then it must be you. Of course, as I have written about at length, a SSN is one of the dumbest choices for a password. Not only is it a password that can readily be found out, but it is a password that’s very hard to change. Not a wise combination. People’s SSNs are widely available, and the data security breaches in the past two years exacerbated the exposure. A lot of legislative attention has focused on the leakers of the data, and rightly so, but not enough attention has been focused on the businesses that use people’s SSNs as passwords. If SSNs weren’t used in this way, leaking them wouldn’t cause the harm it does.
But now, it seems, banks are starting to rethink the use of SSNs. According to a USA Today story:
A growing number of banks and retailers are moving beyond Social Security numbers to verify your identity. They’re relying on such personal details as your car color, your father-in-law’s name and the city you lived in five years ago.
No, you never gave them this information; rather, they pulled it from public and private databases. These private details are increasingly being used to approve you for credit at a store, give you access to your account online or to verify that you — rather than an impostor — are making a purchase.
It’s the latest effort by financial institutions to fight a growing threat of identity theft from online “phishing” and other scams. Chase, HSBC, Vanguard, American Express and Barclaycard US use this customer-verification technique. Mellon Financial is testing it. In the past two years, the technology has been adopted by six of the top 10 U.S. banks and thrifts, says Verid, a provider of the technology.
The problem with using this method is that the information in public databases is often riddled with errors. Why do banks need to go behind your back to snoop out information about you? Banks and financial institutions already have a relationship with you — after all, you established an account with them. They can use some of the information they gathered at that time to establish your identity and then ask you to supply additional information to help identify you. But going behind people’s backs and trolling public records for data does not strike me as a particularly effective method given the possibility for errors in those records.
The story continues:
Frank Lapiano, a sales rep in New York, got a taste of this technology when he and his fiancée bought a wedding ring at a department store in September.
To verify his identity, his credit card issuer, Chase, asked about the last four digits of his Social Security number, his mother’s maiden name and charges he’d made in the past 48 hours. Then the bank dug deeper: It asked multiple-choice questions about which age range reflected his father’s age and also about the city his mother lived in.
The problem here is that the last four digits of the SSN are not a good password. Neither is one’s mother’s maiden name, since it readily appears in public records such as birth certificates. Charges made in the past 48 hours might not be ideal to use either, since a thief who stole a person’s credit card might be the one who made such charges. And the details about his father’s age and whereabouts of his mother come from public records, which may not be reliable and which can readily be found out by a fraudster too. All a fraudster needs to do is buy a public records report about a victim from a database company, and the fraudster will have all the information he needs to circumvent this security tool. Moreover, asking numerous questions can slow down the identification process and make it less efficient. What we want isn’t perfect security; it is smart security using passwords that do not contain information anybody can readily find out and that can be changed easily if they fall into the hands of a frauster.
So it’s a good thing that banks are moving past the SSN, but I’m not sure they’re moving to something much wiser.
November 9, 2006 at 12:15 pm
Posted in: Privacy (ID Theft)
Print This Post
Responses (6)
William McGeveran - November 9, 2006 at 4:31 pm
Great post. You are right, of course.
I would add another independent problem: if the public records are inaccurate (as is so often the case), you may find yourself giving the “wrong” answer about your own personal details. This happened to me once recently. I had the surreal experience of needing to insist to a skeptical customer service rep on the other end of the phone line that I am indeed me and that I knew my own past home addresses better than she did. Turns out there was a typo, of course.
Worse still from the point of view of banks and other institutions who adopt this strategy, quality control is essentially impossible. The error must have been made by some faceless data entry clerk at some other entity with whom I interacted in the past, and the bad info gradually migrated its way into my Choicepoint profile or some similar aggregated dossier.
(cross posted at Info/Law)
Bruce Boyden - November 9, 2006 at 7:10 pm
What’s the worst that can happen here? You occasionally suffer the inconvenience of going into the bank with your drivers’ license? A phone call that takes 20 minutes instead of 5? Aside from the security issue, the downside to the consumer appears to be occasional inconvenience.
As for the upside, for one thing, banks et al. are dealing with a “legacy” problem — a mass of customers who opened their account years ago before the banks woke up to the scale of the identity theft problem. It’s WAY cheaper and faster to cull that information from databases rather than calling up each existing customer and playing 20 questions. For another, most consumers probably do not want to answer a series of personal questions each time they open a new account.
William McGeveran - November 9, 2006 at 9:53 pm
Well, first of all, one personal question with a clear and correct answer might do the trick. That’s better than repeat “20 questions” games, often when you are busy just trying to use your credit card or withdraw some cash.
I don’t suggest this is sky-is-falling stuff. But it does undermine my confidence in security if protective measures hinge on inaccurate information. And it is not hard to imagine a situation where customers actually are denied access to service — possibly the use of their own credit cards — because the bank (or, as in my case, utility company) mistakenly disbelieves their answers about where their mothers live or whatever.
Finally, given the enormous attention and investment that customer-facing operations make in monitoring, timing, and improving their telephone and online interactions with customers (for, as we are always told on the phone, “quality assurance purposes”), they mighyt consider a pattern of such problems a pretty big deal business-wise. Customers who get grilled about their personal data when they are just trying to buy stuff are not happy customers.
Antiquated Tory - November 10, 2006 at 6:32 am
How very odd. Here in the Czech Republic, where banking has a long way to go in terms of service, I can’t get any information over the phone. I can over the Internet but that’s password and certificate protected. I also cannot use my credit (really debit) card remotely to buy things. I have to have a separate ‘Internet’ card for this; it has a limit of 2 purchases/day which cannot total more than $400. Anything more, I have to physically swipe it.
I ran into problems with this recently while trying to rehabilitate my US Student Loan. It seems that the US Department of Education does not accept bank transfers, which are the normal (and fast and secure) way of moving funds over borders, and expected me to provide them with lots of credit card details instead. But this wouldn’t do them any good, because Czech credit card security won’t allow such transactions…
dan - March 22, 2007 at 1:29 pm
It is easy to pick apart a system of verification, but what solution can be provided? The Chase example could discredited further if the account was fraudlently opened to begin with. How do you stop someone from opening an account with someone else’s info? I think using public/private databases is the best method out there. The questions are random, so the fraudster doesnt have time to prepare what could be asked.
I would be interested to see your solution to the problems.
Jon - October 2, 2007 at 8:40 am
I just recently ran into this rash of question asking. My bank asked me an age question about my step-brother’s 3rd ex-wife. I didn’t have a clue. Just a minute ago, I was trying to order a birth certificate online and could tell the questions were targeted at my father and not me. Have you ever owned a home at one of the following addresses…nope, but my father did. You answer “None of the above” and are kicked to the curb and made to do things manually. It’s irritating and annoying because they have BAD data. In the computer world, the term GIGO jumps to mind: Garbage In, Garbage Out. These ID verification folks are putting a lot of Garbage In.
Leave a Reply