Call center verification: are KBA-based controls still defensible?

TL;DR: Call centers remain a prime account takeover target because social engineering exploits human trust faster than technical controls can respond, and TransUnion says more than half of ATO attempts now start there. Knowledge-based authentication no longer provides reliable assurance for sensitive recovery flows, and identity binding with biometrics and mobile verification changes the control model.

NHIMG editorial — based on content published by 1Kosmos: why call centers are prime targets for social engineering and account takeover

By the numbers:

• Traditional authentication adds 30 to 60 seconds to every call, often more when customers struggle to answer.

Questions worth separating out

Q: What breaks when call center verification relies on knowledge-based authentication?

A: KBA breaks because attackers can buy, guess, or socially engineer the answers, while legitimate users often forget them.

Q: Why do call centers remain a common account takeover path even when MFA is in place?

A: MFA on digital channels does not protect a support agent who can override recovery steps after a successful pretext.

Q: How do organisations know whether caller verification is actually working?

A: Look for reduced reliance on agent judgment, fewer failed recoveries from legitimate customers, lower override rates, and complete logs of identity proofing outcomes.

Practitioner guidance

• Remove KBA from sensitive recovery flows Eliminate security questions from password reset, account recovery, and high-risk servicing paths where fraud or takeover would be material.
• Insert automated identity proofing before agent action Require device-linked verification, document validation, or biometric proof before an agent can change credentials or disclose protected account data.
• Log and review support-channel verification decisions Capture who initiated the verification, which checks passed, which exceptions were used, and whether the outcome was overridden for audit and fraud review.

What's in the full article

1Kosmos's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step caller verification workflows that replace KBA in live support environments
• Specific deployment patterns for biometric, mobile identity, and document verification in contact centers
• Standards and compliance detail tied to NIST 800-63-3 and FFIEC expectations
• Operational examples of how identity binding reduces repeat authentication risk

👉 Read 1Kosmos's analysis of why call center verification needs a new identity model →

Call center verification: are KBA-based controls still defensible?

Explore further

View Full Forum →  |  NHI Foundation Course →