Avivah LitanI just read with interest Bob Sullivan’s latest blog http://redtape.msnbc.msn.com/_news/2012/03/26/10875023-exclusive-hackers-turn-credit-report-websites-against-consumers.
If you ask me it’s time to seriously rethink knowledge based authentication based on data held by the credit bureaus and other public data aggregators. (It’s also time to rethink KBA just based on the relatively high failure rates – as much as 10% after tuning – among good legitimate customers who can’t remember the answers, for example they probably weren’t told the name of the bank that held their first auto loan).
MSNBC’s report points out the methods the hackers are using to discover the answers to the secret questions so they can then access, download, and sell the ‘protected’ credit reports behind this weak authentication on the black market.
What the report didn’t point out are other methods the more sophisticated hackers use to steal those ‘secret questions and answers’ used to authenticate most U.S. citizens before they execute ‘sensitive’ non-face-to-face transactions. It turns out that the bad guys are also phishing employees who have access to these questions and answers used in knowledge based authentication (they are all stored in a database) and after installing keyloggers on these employees’ desktops, the hackers are getting direct access to those data stores with the Q&As.
I’ve been told there are anywhere from a dozen to a hundred questions stored on each of us. So the more sophisticated hackers just go right to the source e.g. by spear-phishing an employee at an aggregator, to get those questions and answers.
This has made it very difficult for banks to stop targeted attacks against wealthy or corporate customers with lots of money in their accounts because their risk engine will flag a payment/wire transfer as risky – then when the fraud analyst goes to investigate the wire, he/she will call the customer but the phone has been forwarded by the hacker to the hacker, and then when the fraud analyst asks for the ‘secret’ answers to those ‘out of wallet’ questions – the hacker answers them perfectly.
When you think about it, this whole scenario is pretty outrageous – i.e. the reports and data sold to service providers and consumers to allegedly protect them are not being protected adequately. It’s gotten ‘out of hand’. Wait until all that social network data starts flooding out there, but that probably won’t happen until more companies start relying on it for identity proofing.
Category: Uncategorized Tags:
2 responses so far ↓
1 U.S. Credit reports and Knowlege Based Authentication Compromised - credit-reports March 28, 2012 at 1:46 pm
[...] original post here: U.S. Credit reports and Knowlege Based Authentication Compromised This entry is filed under [...]
2 Jim Fenton March 30, 2012 at 2:58 pm
Many of the security questions that are commonly asked are things that, for many people, it’s very easy to find out. I have been asked, What high school did I attend? What’s my mother’s maiden name? What city did I grow up in? — all questions that many people might be able to discern from my Facebook or LinkedIn profile. Other questions, like What was the name of your first pet? have very little cryptographic entropy — if passwords need to be complex, why should answers like Fido and Rover be used at all?
It also isn’t clear whether these answers are maintained in a hashed form; probably not. These have all the characteristics of worst practices: low entropy, not stored securely, and likely to be shared by a number of relying parties.