Even With New Laws, Protection for Personal Data Is Inadequate
Originally published on PaymentsSource.
With data protection and privacy issues constantly in the news, there is a growing sense of urgency among consumers around how their personal information is being used and misused, and outrage toward the organizations failing to protect their data and privacy.
These concerns, shared by many in business and government, have led to new regulations such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act, which address individuals’ need to control their own data and decide what information they want to share with whom.
But although data privacy regulations may be improving, and tech companies may now be forced to be more transparent about their practices, the fact remains that vast quantities of personally identifying information are already out in the wild.
Dishonest companies, state-sponsored groups and individual bad actors have illicitly acquired and shared massive amounts of data. Hackers are continuously attacking social media platforms, corporate networks and government databases. And cybercriminals have established a thriving market for PII on the dark web. All the best data-handling policies in the world won’t put the genie back in the bottle.
One reason the market for stolen PII is so large (and hacks are so frequent) is criminals’ ability to use this data to gain fraudulent access to people’s financial, health care and government accounts — often by social engineering around call center agents.
Most organizations that deal with personal information have invested considerable resources in improving their online security, but have turned a blind eye to the impacts of using personal information to identify customers. This is especially true for call centers that have relied on asking callers personal questions to grant access to their accounts.
Although multifactor authentication — an identity verification process that combines two or more factors (knowledge, inherence and/or ownership) — has been a best practice for decades, many call centers continue to rely on knowledge-based authentication alone, in the form of identity interrogation. Callers demonstrate that they are who they say they are by answering questions about their birth date, mother’s maiden name, account number and so on.
Obviously, this process breaks down if the information required to answer correctly is no longer private — as is too often the case now, thanks to social media and the sale of PII on the dark web.
While consumers worry about their information being used in ways they don’t approve, they are far more afraid of their bank accounts being emptied by criminals. As long as knowledge of personal information is used to grant access to accounts, consumers’ accounts will be vulnerable to account takeover fraud and other forms of fraud. How long will consumers continue to tolerate this risk? And more importantly, why are regulations that govern the use of personal information failing to account for one of the most problematic uses of PII – knowledge-based authentication?
More secure authentication approaches — for example, systems combining an inherence factor (such as a voiceprint) with a physical ownership factor (such as the customer’s smartphone) — are readily available to call centers, and organizations that refuse to embrace them could face a backlash. Will consumers force the hand of regulators, like they did with robocalls, finally compelling the Federal Communications Commission to act? Or will they take matters into their own hands and simply refuse to do business with companies that don’t adopt better authentication methods?
Whether it’s consumer advocates pressing for new legislation or large numbers of individuals acting in the interests of their own account safety, a grassroots revolt against knowledge-based authentication — and the weaponization of PII that it promotes — could eventually pressure organizations to adopt more accurate and secure methods of authentication.
But there’s no reason to wait for the revolt. It’s time for call centers to wake up to the threat posed by overreliance on knowledge-based authentication and take steps to prevent their customers’ stolen data from being used against them.