Who Are You to Ask Me Who I Am? Two Party Authentication is a Must

By Jamison Utter

I think we are all well aware of how the trust chain is broken in fraud, even how that applies to cyber-crime. Scam email, phishing, click fraud, there are lots of ways to trick consumers into giving personally-identifiable information (PII) to the wrong people. We have some technologies and processes that have developed over time to deal with some of these issues of identification for both customer and consumer. I would like to address a gap in the trust chain.

IRS Scam Call Analysis  Image Source:  Pindrop Security

IRS Scam Call Analysis
Image Source: Pindrop Security

It started from an interesting call with an anonymous caller claiming to be from “The IRS” they asked me for lots of PII (none of which I gave) and when challenged actually hung up on me.

That phishing call made me think about this basic identity problem and how big it can be. What assurance of trust allows anyone to know that the voice on the other end of the phone is really who they say they are? If it’s a common contact, a friend or relative for example, you have shared experiences and acquaintances that could be referenced should you have doubt. But what if the voice belongs to someone you don’t know personally?

Traditionally, institutions have assumed that if you (the consumer) call them on some pre-ordained phone number you are the one needing authentication (after all you called them and they don’t know that you are you). But this issue is more complicated these days than it used to be. Most people (today) look up the number on the internet and call the number they find, but with the amount and frequency of website compromises, DNS related hacks, and Phishing emails, how can I be sure that the phone number I found on the web and then subsequently called is really the place I tried to call  – was it spoofed? Is the page redirected?

Our trusted partners – companies like banks, airlines, and insurance companies – sometimes call us for legitimate reasons like fraud prevention. They ask for identification to identify us. But how do we, as consumers, differentiate and identify the trusted partners from fraudulent felons?

After some reflection, I think we have something close to a solution right in front of us.

Some time ago, banks – and other trusted institutions – started to ask us for additional verification questions and identifying information. Things like the street you grew up on, and where did you have your first kiss. All of this data was meant to help them identify the person on the other end of the transaction (or phone) was indeed the customer with the account they were querying.

I say let’s just add the next step, which is to let me ask the institution calling (or that I called) a few questions that help me feel secure that this is indeed the company I choose to do business with. Some sort of shared secrets that only they would know, or that I told them specifically to help identify them to me.

How might this work?

In the process of ‘identity verification’ we would just add a challenge and response process. Today this is a one-way verification, the business asks the consumer questions that identify the consumer. What I am proposing is a two-way conversation, a handshake (if you will). Something like, I provide part of a number set and they provide another, maybe the first four and last four of a social security number. Or perhaps the last 3 transactions on my card – they should have this information.

Here are a few off-the-cuff examples:

  • I provide the last four digits of my social and the company provides the first four
  • I provide my address and they provide my zip-code
  • One I actually use, is asking what the last 3 transactions are on my account

This process lets the consumer know I am transacting with the partner I chose to trust. Some level of surety is returned to the process for both parties.

Businesses need to understand that it it just as critical for trust, that consumers know they are trustworthy. Help educate your customers about trust and identity, establish a program to implement some system (like this or otherwise) that helps your customers know that both parties are indeed properly identified.

This could be a simple thing your customer service representatives say “Thank you for calling Big Bank, I need to ask you a few questions to verify your identity, then I would like to have you ask me a few to verify mine.”

In general, the idea is that some information should be shared in trust between us allowing mutual authentication. Certainly no method is foolproof and lots of really clever people should work out the kinks before trusting lives to it.

Anything would be better than the nothing we have today.

About Jamison Utter

Jamison's personal interests push an understanding of the human side of technology and how it effects our lives, our future, and our minds.

More about Jamison