Why this is the year to move beyond out-of-wallet questions

What was your favorite band in high school? – and other questions we never want to answer again.
Apr 19, 2022
Laura Caseley
Content Writer

What was the name of your first pet? The street you grew up on? How about the first out-of-wallet question you were ever asked? 

An out-of-wallet question is a question outside of the usual identification points like account number, social security number, or date of birth. They can also be known as knowledge-based authentication (KBA), or as challenge questions or shared secrets. They can be anything from “What color was your first car?” to “Out of these four addresses, which is not associated with your family?” In short, they’re questions that fraudsters can’t get from stealing your wallet. Out-of-wallet questions used to be a secure way to ensure identities and prevent fraud, but they’re no longer cutting it as technology – and tech-based crimes – evolve. 

Fear of fraud is valid, but relying too heavily on KBA can create a frustrating customer experience and lead to abandonment. 

Protecting from fraud should never mean a bad experience

KBA questions can be pain points for two sets of customers: new customers looking to open an account, and existing customers who need support. 

For potential new customers, being confronted with confusing, open-ended, or irrelevant questions can grind the account opening process to a halt. They have to read through the questions, decide which are relevant, and construct an answer they’ll be able to remember accurately – sometimes multiple times. These are the kinds of stalls in flow that lead to account opening abandonment. 

For customers and members seeking support, being asked personal questions during what can be a high-stress time can cause them to become flustered. This can lead to an inaccurate or incomplete answer. This also stops the process in its tracks, and stalling the resolution of a potentially serious issue is always a bad experience. 

The idea behind KBA and out-of-wallet questions isn’t bad, but a deeper look shows that these questions are not the failsafe they seem to be on the surface.

Personal information changes over time.

How many bedrooms does your house have? Where does your closest sibling live?

Any information that’s subject to change is a bad idea to use as a security question. Questions about current houses or cars, for example, will be incorrect if someone moves or gets a new vehicle. Keeping outdated information in mind can be confusing. That leads to a support call and more verification, eating away at the customer’s time and patience as well as your staff’s. 

Some questions have more than one answer.

What was your favorite band in high school? Who was your childhood best friend?

If you’re like a lot of people, your favorite band as a teen probably changed every few weeks. And you’ve likely have a few friends you might consider your best. That’s normal, but a question like this will more often stump a customer than not as they try to remember which of the bands they could call their favorite, or if the answer was their best friend from elementary school or middle school. Questions regarding “favorites,” even present ones, can be less direct than they seem.

Some questions simply don’t apply.

What’s your mother’s maiden name? What was the name of your next-door neighbor growing up?

On a related note, some questions are also rapidly becoming outdated. For example, the question “What is your mother’s maiden name?” is not always relevant as many women do not change their names on marriage. Therefore, if your mother’s last name is known, something that can be found through online activity or public records, then the question is not a secure one. Questions about neighbors can be hard if people live in apartments or multifamily homes, or, conversely, in very rural locations, where the concept of “next door” might be a little nebulous. 

There are other safety concerns, too: obscure personal information is becoming easier to find.

If you’ve ever seen a Facebook or other social media account posting strange, open-ended things like Bet you can’t remember the make and model of your first car! be aware that these are often scams that trick users into voluntarily giving away the very answers to their “secure” questions. This practice, known as “social engineering,” is an increasingly popular way to harvest information through seemingly innocuous or “fun” posts. Fraudsters can also use social media activity for information that seems innocent, such as the names of relatives, schools, and employers – but can be used to hack out-of-wallet questions. 

If you’re going to use KBA to validate identity, it’s important to keep in mind that some information is no longer quite so secret, and can be quite easy to find online.

Is there such thing as a good out-of-wallet question?

Better KBA is possible, but they’ll take a bit more thoughtfulness than they have in the past, especially if the goal is less work and a more frictionless experience for the customer. If out-of-wallet questions are the right choice, consider keeping the following guidelines in question. 

Better out-of-wallet questions have:

  • Consistency. If the answer to the question can change, it’s only going to cause confusion for customer. That being said, encouraging users to refresh their ID verification information periodically is still a good idea. You can get ahead of confusion by allowing them to set regular password and question refresh intervals so they can stay up to date on their own information while staying ahead of would-be attackers.
  • Conciseness. Anything that is too hard for the customer to remember is not ideal. An answer requiring the identical entry of a lot of information will lead to flubs and frustration. One- or two-word responses are best.
  • Secrecy. Questions about family members, schools, jobs, friends, and even pets can potentially be found on social media without much effort, so remember that making things a little more obscure, but still easy to recall for the customer, is key.
  • Variety. Your customers come from all walks of life, so questions should be accessible to broad audiences. Providing a list they can choose from is a great option, but make sure your questions vary enough to apply to as many lives as possible.

When it comes to seamless and stress-free account opening, Narmi offers options for both document and non-document identification verification. Non-document IDV uses personal information from multiple trusted third-party sources for increased security and minimal hassle to both institutions and customers. 

This advanced verification process has not only led to better customer experience when opening an account, but has also allowed Narmi customers to see their applicant rate quadruple – with an 80% average completion rate. Fraud is reduced as well, as much as a 99% in some cases, proving that easier and smoother account opening can also be safer account opening. Truly, the best of both worlds.

Narmi Inc.
P.O. Box 231517
New York, NY 10023

Why this is the year to move beyond out-of-wallet questions