The Equifax data breach will force banks to confront one of the toughest challenges of the digital age: figuring out how to make sure you are who you say you are.
Banks call it authentication, and many of them have been spending a lot of time trying to make it better. While the Equifax breach is huge, it is certainly not the first.
Banks are scrambling, in part, because the threat is multiplying. Fraudulent account opening and account takeover are on the rise, as criminals look for different avenues now that EMV cards have made certain types of fraud more difficult, according to a recent report from the Aite Group, a financial industry research and consulting firm.
Here are the kinds of security you should expect to encounter the next time you try to open a savings account and what you can do to prepare yourself.
Expect more hoops
There is no fool-proof solution to the authentication puzzle. Banks are experimenting to find the best way to secure your accounts while also keeping it simple. Many have adopted a multi-pronged approach that includes verifying you against something you are, something you have and something you know.
Banks are required by law to know who their customers are. And when it comes to fraud they are typically the ones responsible for covering the losses.
So next time you open a new credit card, anticipate a more strenuous experience in verifying your identity. Further, don’t expect each bank to take the same approach to verifying your identity.
Something you (should) know
When opening a new bank account — to take advantage of a great CD rate, for example — you may be asked questions about your past.
The bank asks your address from the late 1990s. The problem is you spent the aughts bouncing from apartment to apartment and you have no idea.
This is called knowledge-based authentication, and it is distinctly in the “something you know” bucket. So are passwords.
Since so much of the information the credit bureaus have on us may be accessible to the bad guys, expect banks to lean more on other sources. Public data — where banks find the answers to knowledge-based questions — as well as social data are among the most popular sources.
Brush up on your personal history, or at least think up some ways to quickly retrieve that information. Maybe your mom has an address book with every place you’ve lived.
Such questions, however, are not an ideal way to verify people. That’s because some of us struggle to remember.
“About 15 percent of people can’t answer the questions, but guess what? Fraudsters can,” says Shirley Inscoe, an Aite Group analyst.
Suffice to say, banks are using this method now, but don’t love it.
Something you have
If you’re signing up for a new account online, at some point you’ve likely had to put in your phone number. The bank then sends a text to your phone and you have to enter it back into the app or your browser. This is called two-factor authentication.
It is using something you have to verify that you are you. Of course, if criminals already have your most essential personal data — your name, Social Security number, date of birth, for instance — they could port your phone. In other words, they can contact your cell service provider and transfer your details to a new device.
Much like banks, mobile carriers are struggling with authentication, too. Just last week, AT&T, Sprint, T-Mobile and Verizon announced they’ve teamed up to develop a solution for businesses and customers.
In the meantime, the advice to consumers in protecting their mobile account is in line with good cyber hygiene, mainly pick good passwords that hackers can’t use social media to crack. In other words, don’t use your kid’s name and date of birth as your password and then tweet about little Mikey turning three today.
The Federal Trade Commission also suggests adding PINs to your mobile accounts as an added layer of security. In that scenario, no one can make changes to your account without the PIN.
Security experts like Joram Borenstein, vice president of NICE Actimize, which provides crime prevention tools to the financial services industry, also suggest using services like Google Authenticator, Authy or Duo for your two-factor authentication, when they are offered as an option by your institution. Such tools are potentially stronger than traditional SMS-based two-factor authentication, because they are time-based and not reliant on cell service.
Something you are
How do you feel about biometrics? Are you a little creeped out at the idea of your phone’s camera looking at the whites of your eyes to make sure you are you?
You’ll probably need to come to terms with it.
While banks like to offer options — regular passwords, voice and facial recognition, for instance — there is a big move toward using more biometric measures. For the most part, biometrics are used for existing customers, but some banks are starting to experiment with using biometrics to vet new customers.
For instance, BBVA last year announced it would let people open a new account in Spain by supplying a photo ID along with a selfie. Software then verifies the person in the selfie and the ID are one in the same. The final step is a video call with a BBVA representative.
Although banks might favor biometrics, it is important for you to know what happens with that data and where it will be stored.
For instance, with Apple’s forthcoming Face ID, the company says the facial data is safe with its “security enclave” and is stored on the phone, not on the cloud.
In other words, there is no massive repository of face data begging to breached. Still, Senator Al Franken of Minnesota sent a letter to the technology company asking it to further explain to consumers why this is safe.