I haven’t applied for a credit card in a while and so I wasn’t expecting this new identity proofing process from BMO MasterCard…
I called the customer service number to activate the card. In the past, you simply had to enter the 16-digit number and, assuming you are calling from a home phone number, the combination of the card number and phone number were sufficient to validate your identity.
Today, however, the system collected my card number and explained that I would need to participate in an identity proofing process based on my credit history.
After a few minutes on hold, the agent came online. Here is the transcript, somewhat paraphrased:
Agent: Hello, Mike, we need to confirm your identity using information from your credit history. We will ask you some questions and you can pick from three multiple-choice answers. Do you agree to this process?
Me: Uh, Sure.
Agent: Okay, from the following list of credit unions, who have you banked with in the past five years? <she then listed three credit unions.>
Me: <name of credit union.>
Agent: That is correct. Next, from the following apartment numbers, pick the one that corresponds to a previous residence.
Me: Uh, well I can’t recall the last time I’ve lived in an apartment…
Agent: Well… Let me list the numbers and see if you recognize any: 1101, 6A or 904.
Me: I’m not sure — is this my only option? The last time I lived in an apartment was 1987!
Agent: Well, we need an answer to this question.
Me: I can’t remember an apartment from 20 years ago… can you?
Agent: Uh, no, I see your point… but the credit bureau has this information…
Me: (sigh) I’m sure they do… and I’m sure it is accurate, but this isn’t much use to us if I can’t remember.
Agent: Well, if we can’t finish this process you can go to your bank in person with two pieces of identification to activate your card.
Me: I see. Well, can I guess? How about ‘1101’ ?
Agent: Yes! That worked; your card is now activated…
I’ve written about shared secrets and identity proofing before, and I knew that credit bureau information was a rich source of shared secrets. In fact, these types of questions are likely what is driving the Equifax Over 18 I-Card implementation (used to prove age of user among other things).
So what is new and worth commenting about all this?
- The questions are locked – the agent only had two questions and I had to get them correct on the first try to proceed. She was surprised when I asked for an alternate question.
- There were only three options to each question. I actually guessed at the apartment number and was successful. With only 2 questions and three options, my calculation is that a fraudster would have a 16.7% chance of guessing the right answer to both questions.
- Because my call had to be from my home phone, the threat they are attempting to thwart is (presumably) ‘an intercepted card by someone in the same household (or someone with caller ID spoofing capability)’. This is seemingly low probability occurance but it is obviously worth the bank’s efforts to implement this additional process.
My best guess is that they are having trouble with intercepted mail and caller ID spoofing. I wonder if the additional shared secrets presented in a multiple choice format are sufficient to overcome a determined (or lucky guesser!) fraud artist given that they’ve already stolen my mail and know my phone number…