What are the Best Security Questions for Call Centres?

Security question concept with a question mark and a padlock

Which security questions are best to use in a call centre for customer verification, and with so many scams about how can you be certain that you are talking to the right person?

Call centres handle a vast amount of data about people’s lives, and keeping this data safe is of paramount importance. Agents must be sure that a caller is genuine, to ensure no sensitive information is given out to fraudsters.

To do this, they ask security questions to authenticate the person they are speaking to is the customer. But which questions are best, and what other issues do call centres face when trying to verify a caller’s identity?

Data Protection Act (DPA) Verification Obligations

Under the Data Protection Act, companies and organisations are obliged to take reasonable steps to confirm the identity of a telephone caller before proceeding with a call relating to a personal account or information.

The questions asked during the customer verification process are colloquially know as DPA questions or Data Protection questions.

They must have safeguards in place to prevent people calling in under a false pretence of acting on behalf of the customer.

Companies also have an obligation to their customers to make sure their personal information is handled properly. Security questions build trust, as customers are reassured that suitable precautions are being taken.

Call Centre Security Questions

The exact questions asked by call centres during security checks vary across industries and organisations. However, there is common ground on the best basic authentication questions.

A three-question check comprehensively tests a caller’s identity. Most call centres ask for an account or reference number, then the customer’s name, and then their address, postcode or date of birth.

The question asked as the third part of such a check may vary depending on the business of the contact centre. The options for each question are shown in the table below.

Budd Cartoon
Thanks to Budd for supplying this cartoon

First Security Question

  • Account number
  • Reference number
  • Contract number
  • Telephone number

Second Security Question

  • Name

Third Security Question

  • Address
  • Partial address
  • Postcode
  • Date of birth
  • Payment method
  • Last payment made
  • Other contact telephone numbers
  • Email address

“The circumstances when a security check is required must be clear to the agents, which will save ACHT (average call-handling time) so as not to prolong the interaction or annoy the customer.

A minimum of two checks must be mandatory for confirmation if account details are required,” said Pinaz Hansotia, previously Business Unit Head and Relationship Manager at Seamless Connections.

Similarly, agents should be given list of situations in which a security check isn’t necessary.  General enquiries such as “What new offers are available” only provide information that is readily available elsewhere.

Security in Numbers Rather Than Percentages

Financial service call centres may ask security questions with a numerical answer – ‘state the current balance of your account’, for example.

A margin for error is allowed in the answer, as few people know their exact account balance off-hand. But this tolerance level causes trouble for call handlers, according to Jane Stuart, Senior Manager at Avertis Risk Solutions.

“We’ve found that if the tolerance is a percentage, say the caller has to be correct to within 10%, that’s far too complicated for the call handler to cope with. It’s difficult for them to calculate what 10% is and subtract it,” said Stuart.

A tolerance should instead be expressed as a defined amount, to assist less mathematically skilled agents. Rather than insisting the customer is within 10%, the call centre could require the caller to be correct to within £20 of the true balance.

Safeguarding Sensitive Information

The effectiveness of security questions may depend on the way in which they are asked. An agent may inadvertently give away information when asking a question.

For example, asking a caller ‘Do you have a current account or a savings account?’ instantly narrows the chances of a possible fraudster guessing the answer to 50-50.

Asking ‘What type of account do you have?’ leaves other possibilities open and gives nothing away. According to Jane Stuart, many call centre staff become relaxed about security questions and risk letting fraudsters through the net.

“Immediately after training, the security procedures are fresh in an agent’s mind. After a few weeks on the phone, when people become a bit more chatty and a bit more relaxed, those procedures can become diluted, not deliberately, just by human nature, unless they are reinforced,” said Stuart.

Avoid Information That Thieves Can Discover

Security questions should avoid information that can fall into the wrong hands too easily. Household bills are often thrown out intact.

Handbags are stolen, cars broken into, and documents lying around could fall into the wrong hands. Some answers are easily guessed if a fraudster has even a tiny bit of information about a potential victim.

If a caller is asked to state two direct debits on a certain account, the call centre shouldn’t accept an answer which only mentions utility bill debits. It is easy for a fraudster to guess which water or electricity company someone uses if they live nearby.

A better question is one which asks something only held on record by the call centre and in the customer’s memory. ‘How long have you had this account?’, for example, or ‘Do you have any additional borrowings against this mortgage?’.

The trick is to find the balance between something that a genuine customer can answer and something that doesn’t appear on many documents.

Double-Sided Security

Maria Opuni
Maria Opuni

Security questions need to protect customers from information theft inside a call centre. It is important that staff only have access to data they need in order to do their job, including the answers to security questions.

If a prearranged password is used, allowing an agent to see a customer’s password alongside other personal information gives that agent the ability to use that information illegally, should they be so inclined.

To avoid this situation, security questions should only require agents to ask for part of a password, address or date of birth.

“We often ask for just certain digits out of a date of birth. We also operate strict security measures, for example staff aren’t allowed mobile phones in the contact centre and we run regular spot-checks,” said Maria Opuni, Contact Centre Director at DDC Outsourcing.

Such measures help maintain customer’s trust, especially after the high-profile government data leaks in the UK in recent years.

Don’t Be Afraid to Challenge

The point of asking security questions is defeated if there isn’t a limit to the number that can be asked before a call is ended.

Customer service agents shouldn’t be afraid to politely refuse a caller who can’t give right answers to the DPA verification questions.

“If a caller gets two questions or two types of question wrong then they should be terminating the call and saying sorry, you’ve not passed the questions today, get some information out and call back,” said Jane Stuart.

Voice Biometrics

Dave Lee
Dave Lee

One approach to identity validation that looks promising (at least on paper) is using voice biometrics.  Based on the individual caller’s unique voice print, voice biometrics claims to offer extremely high levels of security.

It works with several factors called articulators, contributing to its uniqueness.  These include: the size and shape of the mouth, throat, nose and teeth, and tension of the vocal cords.

“Voice biometrics can provide significant benefits to both the call centre and the customer,” said Dave Lee. 

“For the customer, it can reduce the time taken to conduct the ID and Verification (ID&V) process and they don’t have to remember complex or infrequently used password or questions.”

Keeping information safe is difficult, and no security questions will provide total protection against people determined to obtain it under false pretences.

But can security questions alone provide a substantial barrier against fraud, or does it ultimately depend on the individual agent who is asking those questions?

For more information on voice biometrics, read our article: An Introduction to… Voice Biometrics

We have a number of other great articles on contact centre security, so read these next:

Author: Jonty Pearce
Reviewed by: Robyn Coppell

Published On: 24th Apr 2022 - Last modified: 28th May 2024
Read more about - Technology, , , , ,

Follow Us on LinkedIn

Recommended Articles

key in puzzle lock
What Level of Security Questions Need to be Asked?
Person thinking with a laptop in her lap and question mark above her head
50 Must-Have Customer Survey Questions
Abstract technology background and security concept with digital padlock
Top Call Centre Security Challenges and How to Fix Them
Cyber security concept with padlock
5 Biggest Call Centre Security Threats
  • Excellent article – probably one of the best I’ve seen on DPA

    Stuart Harris 18 Nov at 15:35
  • If it is a family member calling to cancel or to ask for information, we should always ask for the holder of the service to contact us in order to display information or cancel, even if this person is able to confirm 3 security questions, is this correct?

    Sandra 15 Sep at 16:50
  • ” … so as not to prolong the interaction or annoy the customer.”

    From a very annoyed customer! :-

    company asking SEVEN securuity questions and then telling me ” … it is required by the Data Protection Act”. Fib??

    1/Account number?
    3/Are you the account holder?
    4/First line of the address?
    6/email address?
    7/What type of fuel?

    All that to make an appointment for an engineer to call.

    I am surprised they didn’t ask for my inside leg measurement!
    All of which will hasten my leaving company after 20+ years.
    One hacked-off customer.

    Peter 1 Dec at 15:17
  • It annoys me when I’ve gone through security questions with the organisation, then we have a detailed conversation, the customer service rep says “I’ll find out and call you back shortly”….. 5 minutes later he/she rings my mobile number that I’ve just given him, I answer with my name, he asks if its me, I confirm, I ask if he’s found the information and he says “yes, but I need to go through the security questions again”…. really? … I mean… REALLY?

    We’ve already spoken, only 5 minutes since last hearing my voice, he rang ME, I asked if he had the info we’d talked about (which wasn’t personal info) The DPA states one should ask security questions where it would be “Reasonable” to do so

    Ron 15 Oct at 13:37
  • Wow, one of the best articles so far

    Ebenezer Semeha 11 Jan at 09:56