I just read with interest Bob Sullivan’s latest blog http://redtape.msnbc.msn.com/_news/2012/03/26/10875023-exclusive-hackers-turn-credit-report-websites-against-consumers.
If you ask me it’s time to seriously rethink knowledge based authentication based on data held by the credit bureaus and other public data aggregators. (It’s also time to rethink KBA just based on the relatively high failure rates – as much as 10% after tuning – among good legitimate customers who can’t remember the answers, for example they probably weren’t told the name of the bank that held their first auto loan).
MSNBC’s report points out the methods the hackers are using to discover the answers to the secret questions so they can then access, download, and sell the ‘protected’ credit reports behind this weak authentication on the black market.
What the report didn’t point out are other methods the more sophisticated hackers use to steal those ‘secret questions and answers’ used to authenticate most U.S. citizens before they execute ‘sensitive’ non-face-to-face transactions. It turns out that the bad guys are also phishing employees who have access to these questions and answers used in knowledge based authentication (they are all stored in a database) and after installing keyloggers on these employees’ desktops, the hackers are getting direct access to those data stores with the Q&As.
I’ve been told there are anywhere from a dozen to a hundred questions stored on each of us. So the more sophisticated hackers just go right to the source e.g. by spear-phishing an employee at an aggregator, to get those questions and answers.
This has made it very difficult for banks to stop targeted attacks against wealthy or corporate customers with lots of money in their accounts because their risk engine will flag a payment/wire transfer as risky – then when the fraud analyst goes to investigate the wire, he/she will call the customer but the phone has been forwarded by the hacker to the hacker, and then when the fraud analyst asks for the ‘secret’ answers to those ‘out of wallet’ questions – the hacker answers them perfectly.
When you think about it, this whole scenario is pretty outrageous – i.e. the reports and data sold to service providers and consumers to allegedly protect them are not being protected adequately. It’s gotten ‘out of hand’. Wait until all that social network data starts flooding out there, but that probably won’t happen until more companies start relying on it for identity proofing.
Category: Uncategorized Tags: