Knowledge Based Authentication Breached Big Time! Another dagger for Obamacare, the Banks and many others
Today’s blog post by Brian Krebs reveals serious automated compromises at some of the U.S.’ largest data aggregators of sensitive identity information for consumers and businesses – e.g. LexisNexis, Kroll Background America, Dun & Bradstreet. See krebsonsecurity.com Krebs’ investigation makes it crystal clear that we shouldn’t be relying on knowledge based authentication to verify an identity.
We’ve known for a long time that KBA is being beaten by the criminals and first wrote about well over three years ago. See blogs.gartner.com But at that time the compromises were not nearly as automated as they apparently are now, according to Krebs’ seven month investigation.
We’ve also known, from talking with lots of Gartner clients, that KBA failure rates in the U.S. are on average 10-15%, and can go as high as 30% for some populations, when they include many individuals who are either new to this country or young in age and therefore without a lot of public data built up on them. (For more information see our September 2012 research note G00237377 “When Knowledge-Based Authentication Fails, and What You Can Do About It”). Most failures are good people who can’t answer the questions while the bad guys who buy the stolen information have no problems answering them.
Our clients have been trying for a while to get around the failures of KBA by using other identity indicators and scoring information (see G00239627 “The Four Layers of Identity Proofing Lead to
Stronger Identity Verification”) but weaning themselves totally away from relying on KBA for identity verification has been difficult at best because there are no readily-available alternatives that work as technically easily as KBA does. (Biometrics anyone??)
Still it’s not smart to turn a blind eye to the fact that the criminals can get their hands on anyone’s KBA or identity information through the black market exchanges that Krebs writes about. Frankly, it’s another ominous and bad sign for Obamacare, since as I understand it, the new healthcare insurance exchanges will be using the same KBA to verify applicants for healthcare insurance. I imagine their failure rates will near 25-30% given the population of applicants, (while the bad guys should have no trouble getting new health care benefits at much lower rates than they presumably have to pay now). The likely results will be chaotic and troublesome, and will no doubt fuel the fire of Obamacare opponents.
And where are the regulators in all this? In fact and ironically the U.S. banking regulators (the FFIEC) recommended in their latest iteration of their Guidance for Internet Banking Authentication that banks use relatively costly KBA (average $1 an inquiry for most) based on external data from companies like LexisNexis to verify the identities of users requesting high risk transactions. I remember cringing when I read that recommendation. And in 2006 the FTC fined ChoicePoint – now part of Reed Elsevier which also owns LexisNexis – for a previous breach in 2004 (which only potentially affected 140,000 consumer records, which looks like pittance these days) and ordered them to conduct ‘rigorous’ and independent security audits for up to 20 years. (For more information see our research note published in September 2006 “Case Study: ChoicePoint Incident Leads to Improved Security, Others Must Follow” G00142771).
I know it’s tempting to turn a blind eye to Krebs’ findings and to ignore the profound implications for our most sensitive financial operations. But that’s a very bad idea that will surely catch up with those who do. It’s just a matter of time before the bad chickens come home to roost. The good news is that there are technical alternatives to KBA – albeit not as easy to implement.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.