My last post has sparked more interest in knowledge verification and how it works exactly. In response to Kim Cameron’s request in this blog post
“It would help to understand the concepts better if John would give us some examples of how this works in practice. What kinds of questions are asked, and how does IDology know the answers?”
I will address how this works in practice from two different angles- a consumer point of view and also a business point of view – because both are important in how knowledge verification helps protect consumer privacy and promote the responsible use of data by businesses (which addresses a comment from Adam of Emergent Chaos posted in Kim’s blog.)
For the simplicity of these examples let’s look at this in relation to an e-commerce transaction where we are buying something on the Internet over $250. First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented. Once the business receives the information, in the interest of controlling fraud and completing the transaction as quickly as possible (avoiding a manual review of the transaction by the business), it uses an automatic system to verify that the personal information submitted is linked to a real person and that I am indeed that person. Enter IDology’s knowledge-based authentication (KBA) which scours (without exposing) billions of public data records to develop on-the-fly intelligent multiple choice questions for the person to answer. Our clients vary in their delivery of KBA, some reward their customer with expedited shipping for going through the process, others consider it a further extension of the credit card approval process which during the process various data elements associated with the credit card will be validated such as address verification along with the credit approval.
The key is for a business to use a KBA system that bases its questions on non-credit data and reaches back into your public records history so that the answers are not easily guessed or blatantly obvious. Typically, consumers find credit based questions (what was the amount of your last mortgage payment, bank deposit, etc) intrusive and difficult to answer, and these type of answers can be forged by stealing someone’s credit report or accessed with compromised consumer data. Without giving away too much of our secret sauce, our questions relate to items such as former addresses (from as far back as college), people you know, vehicle information and anything else that can be determined confidentally while not exposing data from existing public data sources.
Once the system processes the results (which is all real-time processing), it simply shares how many questions were answered right or wrong so that the business can determine how to handle the transaction further. The answers are not given within the transaction processing (protecting the consumer and the business from employees misusing data) and good KBA systems have lots of different types of questions to ask, so that the same questions are not always presented and one question doesn’t give away the answer to another.
So you see, this is much more than performing shared authentication based on your dog’s name or favorite sport’s team. And KBA is in the marketplace today working well for both businesses and consumers. In fact, our client’s get comments from their customers thanking them for taking the steps to protect their identities through this process. In other words, this can stop the bad guy’s from committing ID theft.
At the end of the day, the consumer, by completing this ecommerce transaction, is establishing a single pointed trusted identity with that business. The next extension is how the consumer can utilize this verification process to validate his/her identity to complete other economic transactions or have an established verified identity to make posts to a blog or enter into a conversation in a social network where participants have agreed to be verified to establish a trusted network or may be concerned with the age of someone in their verified network. To us, KBA can be an important part of establishing and maintaining a trusted identity.
I hope this provides more clarity for Kim on how KBA works and gives a better understanding on the types of questions presented. While I think I addressed Adam’s first comment related to consumer consent, I still need to address:
“Second, the information that such companies can gather are probably already being gathered by Choicepoint, Axciom, Google, and others. So the assertions that ‘it’s cheap for us, and expensive for the attackers’ are hard to accept as credible.
Third, if truth and your database don’t agree, then we’re forced to have a reconciliation process, in which I, or the id thief, convince the company to change its answers. How does that process work?”
There are several different verification solutions available today including some from vendors who are also in the business of gathering, buying and selling data. That is not our (IDology’s) business. We access public data records during a transaction real time to assist with completing the transaction and make an independent observation about our findings. We don’t aggregate, distribute or otherwise reuse data. In other words, we provide a real-time solution to assist with establishing trusted identities.
So what happens if KBA is unable to verify you? A business would handle the exception transaction as they do now – probably asking for us to contact their call center, which may or may not be something I’m willing to do as a consumer.
So, hopefully this (very long but I wanted to be thorough) answer helps better explain how KBA works…thoughts?