Depending on the risk associated with client authentication, two factor may be warranted if it's practical. The number of clients and/or third parties contacting you will be part of the "practical" assessment.
This is why credit card companies typically want card number, expiry, and sometimes security code from the back of the card in addition to a secret word or challenge/response pair. "Something you have + something you know" has become a cliche for a reason. :)
I hope this helps.
------Original Message------
From: brookerj (at) wealthmgmt (dot) com [email concealed]
To: security-basics (at) securityfocus (dot) com [email concealed]
Sent: 25 Mar 2008 3:18 PM
Subject: Protecting Client Identity
What are the best practices generally used to authenticate a client or external advisor that is calling in to get information regarding a client's account? We have discussed the use of non-specific client questions that would be stored in our CRM however I would like to hear what other corporations are doing. Specifically in the financial industries area.
This is why credit card companies typically want card number, expiry, and sometimes security code from the back of the card in addition to a secret word or challenge/response pair. "Something you have + something you know" has become a cliche for a reason. :)
I hope this helps.
------Original Message------
From: brookerj (at) wealthmgmt (dot) com [email concealed]
To: security-basics (at) securityfocus (dot) com [email concealed]
Sent: 25 Mar 2008 3:18 PM
Subject: Protecting Client Identity
What are the best practices generally used to authenticate a client or external advisor that is calling in to get information regarding a client's account? We have discussed the use of non-specific client questions that would be stored in our CRM however I would like to hear what other corporations are doing. Specifically in the financial industries area.
Thank you,
--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT
Sent from my BlackBerry Wireless Handheld
[ reply ]