What was the name of your first pet? The street you grew up on? How about the first out-of-wallet question you were ever asked?
An out-of-wallet question is a question outside of the usual identification points like account number, social security number, or date of birth. They can also be known as knowledge-based authentication (KBA), or as challenge questions or shared secrets. They can be anything from “What color was your first car?” to “Out of these four addresses, which is not associated with your family?” In short, they’re questions that fraudsters can’t get from stealing your wallet. Out-of-wallet questions used to be a secure way to ensure identities and prevent fraud, but they’re no longer cutting it as technology – and tech-based crimes – evolve.
Fear of fraud is valid, but relying too heavily on KBA can create a frustrating customer experience and lead to abandonment.
KBA questions can be pain points for two sets of customers: new customers looking to open an account, and existing customers who need support.
For potential new customers, being confronted with confusing, open-ended, or irrelevant questions can grind the account opening process to a halt. They have to read through the questions, decide which are relevant, and construct an answer they’ll be able to remember accurately – sometimes multiple times. These are the kinds of stalls in flow that lead to account opening abandonment.
For customers and members seeking support, being asked personal questions during what can be a high-stress time can cause them to become flustered. This can lead to an inaccurate or incomplete answer. This also stops the process in its tracks, and stalling the resolution of a potentially serious issue is always a bad experience.
The idea behind KBA and out-of-wallet questions isn’t bad, but a deeper look shows that these questions are not the failsafe they seem to be on the surface.
How many bedrooms does your house have? Where does your closest sibling live?
Any information that’s subject to change is a bad idea to use as a security question. Questions about current houses or cars, for example, will be incorrect if someone moves or gets a new vehicle. Keeping outdated information in mind can be confusing. That leads to a support call and more verification, eating away at the customer’s time and patience as well as your staff’s.
What was your favorite band in high school? Who was your childhood best friend?
If you’re like a lot of people, your favorite band as a teen probably changed every few weeks. And you’ve likely have a few friends you might consider your best. That’s normal, but a question like this will more often stump a customer than not as they try to remember which of the bands they could call their favorite, or if the answer was their best friend from elementary school or middle school. Questions regarding “favorites,” even present ones, can be less direct than they seem.
What’s your mother’s maiden name? What was the name of your next-door neighbor growing up?
On a related note, some questions are also rapidly becoming outdated. For example, the question “What is your mother’s maiden name?” is not always relevant as many women do not change their names on marriage. Therefore, if your mother’s last name is known, something that can be found through online activity or public records, then the question is not a secure one. Questions about neighbors can be hard if people live in apartments or multifamily homes, or, conversely, in very rural locations, where the concept of “next door” might be a little nebulous.
If you’ve ever seen a Facebook or other social media account posting strange, open-ended things like Bet you can’t remember the make and model of your first car! be aware that these are often scams that trick users into voluntarily giving away the very answers to their “secure” questions. This practice, known as “social engineering,” is an increasingly popular way to harvest information through seemingly innocuous or “fun” posts. Fraudsters can also use social media activity for information that seems innocent, such as the names of relatives, schools, and employers – but can be used to hack out-of-wallet questions.
If you’re going to use KBA to validate identity, it’s important to keep in mind that some information is no longer quite so secret, and can be quite easy to find online.
Better KBA is possible, but they’ll take a bit more thoughtfulness than they have in the past, especially if the goal is less work and a more frictionless experience for the customer. If out-of-wallet questions are the right choice, consider keeping the following guidelines in question.
When it comes to seamless and stress-free account opening, Narmi offers options for both document and non-document identification verification. Non-document IDV uses personal information from multiple trusted third-party sources for increased security and minimal hassle to both institutions and customers.
This advanced verification process has not only led to better customer experience when opening an account, but has also allowed Narmi customers to see their applicant rate quadruple – with an 80% average completion rate. Fraud is reduced as well, as much as a 99% in some cases, proving that easier and smoother account opening can also be safer account opening. Truly, the best of both worlds.