Instead of using information you give to your credit-card company–your pet’s name or favorite movie–the new type of verification uses personal information gleaned from databases without your knowledge. London-based data broker Experian, for instance, culls information from hundreds of sources–including court records and electoral registries–to supply its 200-plus British clients with so-called challenge questions. If a customer arouses suspicion, the credit-card company sends the name to Experian and gets back, seconds later, a list of questions that can be put to the customer.
This kind of “out of wallet” authentication–so named because answers are rarely carried in wallets or purses–is growing most rapidly in the United States. For each challenge, Experian charges up to $2. Privacy groups have expressed concerns, but so far there’s been no public protest. What happens, though, if you can’t remember which bank refinanced your first home loan? Authentication firms say that it’s up to banks or credit-card companies to build in some kind of tolerance for wrong answers.
Out-of-wallet authentication may inadvertently make some identity theft easier. Because it increases the value of data held in credit bureaus, employees of these organizations are more tempted to pilfer the data. When it comes to fraud, it’s always hard to stay ahead of the bad guys.
