Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

The little known secret of knowledge based authentication and why it fails so often

by Avivah Litan  |  June 17, 2010  |  3 Comments

Banks and other companies who rely on knowledge based authentication – the process that asks users ‘secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times. These are those questions where you have to scratch your head and jog your memory, i.e. what was that first car you drove, what year was your mother in fact born (she didn’t like to talk about it), which back-end financial services company now owns your loan etc. etc.

I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.

Last week, I learned the answer at a conference on fraud.  It’s not rocket science. The crooks aren’t phishing the end-users for the questions/answers and they aren’t sitting there with software in a user’s browser ready to pounce and capture the knowledge based authentication question/answer session when it is invoked by a bank or other service provider.

What the crooks are doing is spear-phishing employees who work at the public data aggregators that provide the original data and knowledge based authentication systems used to authenticate users. They simply get access to these employees accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.

It’s a very serious problem that deserves a serious solution.   It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.

3 Comments »

Category: Uncategorized     Tags:

3 responses so far ↓

  • 1 Bruce Marshall   June 18, 2010 at 3:19 pm

    I have no doubt that this can and, based on what you report, has happened. But to redirect attention away from user-targeted phishing, man-in-the-middle, or guessing attacks goes against my instincts.

    I assume you would have shared statistics if they had been shared with you, but my experience has been that the three attacks I cite are a more frequent threat than a hacked service provider. Especially when (again, in my experience) most organizations using knowledge based authentication are relying on home-grown solutions with no service provider involved.

    Can you provide more insight regarding why you’re now convinced this is such a widespread problem?

  • 2 Ajay Solanki   June 22, 2010 at 9:04 am

    Get real we are in the computer age, knowledge based authentication often fails and falls to fraudster as the knowledge element is completed missed out. In the event of remember secret question we as human tend to put in simple questions like which was my first school and the challenge with this line of questioning is anyone can pull the 10 most common questions used as secret question.
    We are anyways not in the star wars era where i can use a different nature of knowledge a dna strand analyzing device.
    Its time where knowledge based authentication use a different type of knowledge to ensure that fraudster dont get in the way and at the same not complicate things too much. Probably another business opportunity.

  • 3 Robert Lee   June 23, 2010 at 12:18 pm

    \Something you know\ is only valid for authentication if it is a shared secret. When it’s not a secret, it’s useless.