Maintaining Privacy in an Age of Data Breaches and Consumer Mistrust
At this year’s Money 20/20 conference and tradeshow in Las Vegas, Neustar brought its experts together with a Forrester analyst and top industry trade media to discuss an issue that is top-of-mind for many financial services organizations: how privacy and security can be maintained responsibly in an age of criminal breaches and consumer uncertainty.
Although data privacy may seem like a black and white issue, financial institutions are encountering shades of gray as they seek to maintain a client’s privacy while enforcing data security and delivering the frictionless, value-added experiences consumers have come to expect. For instance, customers may appreciate new offers tailored to their needs, but finding that such benefits are predicated on their stored data causes many to pause and consider whether their data is being exploited.
Generally, consumers are inherently distrustful of how companies are using their data, and there is growing sense of urgency for change and accountability. New regulations, such as the California Consumer Privacy Act or the European Union’s General Data Protection Regulation, are perhaps an indication of more to come.
PII is already out of the bag
While legislation has been aimed at preventing future data breaches and limiting how consumer data is collected and used, one significant part of the problem has been overlooked: the vast quantities of personally identifiable information (PII) already circulating in the wild. Combined with the prevalence of knowledge-based authentication (KBA), exposed PII provides fraudsters with a golden opportunity to access victims’ accounts and do harm.
PII can be purchased on the dark web or gleaned from social media, arming criminals with stolen credentials or just enough knowledge to crack weak passwords. Once armed, bad actors are targeting what have emerged as the weak links in the security systems of many organizations: the digital and phone channels. Call centers that rely on KBA, which is highly vulnerable to social engineering, place their customers and themselves – and even other institutions – at risk.
Time to adopt MFA in the call center
The fact is, some PII is useful in maintaining data security. Call centers using KBA can unwittingly undermine other organizations’ security procedures if taken in by a fraudster and releasing sensitive customer information that is an authentication factor elsewhere. By adopting multifactor authentication (MFA) in their call centers, organizations can better protect their customers and their data.
With MFA, clients would need to supply at least two types of credentials – either what they know (PII such as their password, Social Security number, mother’s maiden name), what they have (their smartphone with a single-use code), or what they are (their voice or fingerprint). While criminals may have access to knowledge, it is unlikely that they would be in possession of two other types of credentials at the same time.
Leverage accurate data and educate consumers
In this age of instant gratification, any additional friction in the account access process can have a negative impact on the customer experience. In light of data breaches and new regulations, consumers may have the kneejerk reaction to limit as much access to their data as possible. Organizations will need to take time to educate their audiences about how private data, used responsibly, can enhance security. Device location and behavior, for example, can indicate potential fraud and prompt additional security checks before authenticating access.
All organizations have the responsibility to protect their clients’ data and accounts from fraudulent access. Whether in their digital channel or their call center, institutions that upgrade outdated processes, use the latest best practices and leverage accurate data can improve account protection while enhancing the customer experience.