Banks and other companies who rely on knowledge based authentication – the process that asks users ‘secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times. These are those questions where you have to scratch your head and jog your memory, i.e. what was that first car you drove, what year was your mother in fact born (she didn’t like to talk about it), which back-end financial services company now owns your loan etc. etc.
I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.
Last week, I learned the answer at a conference on fraud. It’s not rocket science. The crooks aren’t phishing the end-users for the questions/answers and they aren’t sitting there with software in a user’s browser ready to pounce and capture the knowledge based authentication question/answer session when it is invoked by a bank or other service provider.
What the crooks are doing is spear-phishing employees who work at the public data aggregators that provide the original data and knowledge based authentication systems used to authenticate users. They simply get access to these employees accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.
It’s a very serious problem that deserves a serious solution. It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.