Financial institutions such as banks offer their customers (account holders) access to their accounts to perform transactions in a variety of ways, such as via on-line websites, at branch locations, via call centers, and so on. Authentication challenges may be presented to customers to attempt to confirm that the person that is attempting to perform a transaction is authorized to perform the transaction. Authentication challenges may be presented as authentication tasks, in which the customer is asked to perform a simple task that a fraudulent individual (“fraudster”) would be unlikely to be able to perform. For example, the customer may be asked to provide a valid signature on a withdrawal slip prior to being permitted to withdraw money from an account. As another example, the customer may be asked to provide a physical object that can be used to authenticate the customer (e.g., driver's license, ATM card, and so on).
Authentication challenges may also be presented as authentication challenge questions in which the person is requested to provide information that is unlikely to be known by a fraudster. For example, in on-line banking situations, customers may be asked to provide a login ID, password and/or other information. The other information may include information that is obtained by the financial institution as a part of opening/maintaining the customer's account (e.g., the customer's date of birth, social security number, and so). The other information may also include other arbitrary information that is obtained from the customer exclusively for purposes of authenticating the customer (e.g., mother's maiden name, favorite high school sport, and so on). Such information is immaterial to the account, and the correctness of the information provided by the customer does not matter, except that the customer must always answer the question consistently in order for the authentication to be successful. For example, for the arbitrary challenge question “what is your favorite high school sport,” if the user answers hockey, it does not matter whether the user's favorite high school sport really was hockey, rather, it only matters that the user answer the question consistently.
To increase the level of security, the path to authentication that the customer is required to take may be made longer by adding more authentication challenges. However, too many authentication challenges would make the experience highly inconvenient for customers. The vast majority of transactions are attempted by actual customers and not fraudsters. Only a relatively small percentage of attempted transactions are fraudulent. A tradeoff typically exists between the number of authentication challenges that are presented and the level of security that is obtained. An ongoing need exists to develop techniques for preventing fraudsters from conducting fraudulent transactions.