How I Failed My Bank Security Test – And A Thief Might Pass

by Janet Novack

I was simply trying to do something other baby boomer parents can identify with—transfer money from my checking account into the dwindling account of my college freshman daughter. So I went on line to link my account at SunTrust to hers at PNC Bank. I’ve paid my bills on line for years, but before I could link to a new external account, SunTrust demanded I answer some additional security questions. Fair enough. Who hasn’t gone through the ritual of setting up security questions for an online account?

Except these weren’t the type of questions you pick yourself. Instead, they were questions generated (it quickly became clear) by security software that taps into public record information about you. SunTrust asked me to pick the age range of a Steven Novack. Since I don’t know any Steven Novack, I said I didn’t know. But I suspected that wasn’t the answer the security program was looking for; earlier this year I had to fight with bill collectors demanding I make good on an unpaid hospital tab for my alleged husband, Steven Novack. (The Steven in question lived in a state I’ve never lived in, but bill collectors don’t sweat such small stuff.)

The second question asked if I’d lived at any of four addresses. I honestly answered I hadn’t lived at any of them, even though I recognized one of the addresses —as an address in yet another state, where my real ex (whose last name is not Novack) lived after our divorce. I’ve never lived in that state either, but it appears, for example, as one of my addresses on a “person locator” report about me from Reed Elsevier’s Lexis Nexis service and on my Experian credit report. The third question asked me to pick among more addresses—including an accurate one from 25 years ago. You can get that address from a $1.95 search on PeopleFinders.com.

Let’s review: I, knowing where I have and haven’t lived, got only one answer right and flunked SunTrust’s security test. But a fraudster could have pulled reports on me and gotten two, or possibly three questions right.

When I called SunTrust’s online service line, a pleasant and efficient gentleman didn’t seem too surprised by my experience and had the system spit out three additional questions, which this time were based on accurate information in the public records. I answered correctly, he linked the account and my daughter got her money.

A spokesman for SunTrust declined to say what security software the bank uses. So I rang up the most likely vendor, RSA, the security division of EMC. RSA spokesman Kevin Kempskie reports that 220 companies, including 14 of the 20 largest U.S. financial institutions, Target, Sears, Macy’s, Sprint and T-Mobile, use RSA’s “knowledge based authentication” (KBA) service. He also confirmed that I’m not alone in flunking a test based on erroneous public records— although, he pegs the “false failure” rate at less than 5%.

Kempskie put me in touch with Angel Grant, Principal Manager of the Identity Verification and Protection Group at RSA. She acknowledges that it’s getting easier and easier for fraudsters to tap into the public data that KBA uses. “I could go out and buy an identity report on you for about $25. It’s a commodity. We’re aware of that and we’re built that intelligence into our infrastructure,’’ she says. Example: RSA now gets from PeopleFinders.com and other data vendors reports on what searches they’ve sold. That allows RSA to give banks and other clients the option of excluding questions based on data that has been retrieved recently by some unknown person.

In addition, RSA has been adding more obscure, less public, data. Grant reports she was demonstrating the service to someone recently, and it spit out a question asking him which Pop Warner Youth Football league he’d previously coached in. “We have that data. But if a Russian gang is trying to impersonate the person, they probably don’t even know what Pop Warner is,’’ she boasts.

Consumers like KBA because it’s fast and companies like it because it’s cheap, Grant notes. One new health insurer client, for example, used to spend $15 to $20 per person to print out PINs and mail them to subscribers who wanted on-line access, she says.

Of course, it’s not just public-record based authentication that’s facing new pressures. Those “challenge” questions you set up, based on your first pet, or school mascot or mother’s middle name? “The challenge questions are more guessable for fraudsters because it’s available at no cost through Facebook,’’ Grant observes. That creates two problems. One, obviously, is that these questions aren’t as secure. The second, she says, is that more people, realizing the information is out there, are trying to protect themselves by making up fictitious answers to questions —and then forgetting the made-up answers. (Grant confesses she herself forgot one.)

What’s next? RSA is now researching security questions based on buying patterns, such as, “What Dunkin Donut do you buy coffee at?” That has its own downside—consumers may be put off by the notion that Big Brother banker knows all about their donut consumption. I suppose it’s only a matter of time before some bank asks me where Steven Novack buys his donuts.