Just as we predicted (actually it didn’t take a rocket scientist to predict this), KBA (knowledge based authentication or secret questions based on life history to validate an identity) has been a flop on the Obamacare exchange websites, adding insult to injury. The topic even made it’s way to the human interest story on the front page of today’s Wall Street Journal, which documented how Americans needing health care insurance couldn’t satisfactorily answer the secret life history questions needed to pass the electronic application process. After all, who can remember the color of your first bicycle when you can’t even remember what you did two weeks ago, recounts an interviewee in the article.
KBA is on life support. It was already ineffective and now everyone knows its been compromised systematically by some of the most organized criminal gangs around. (See blogs.gartner.com and krebsonsecurity.com and krebsonsecurity.com )
Experian, LexusNexis, Kroll and Dunn and Bradstreet and other breached data brokers must be furiously trying to dig themselves out this hole. Frankly, I feel for them because securing the food chain of clients that have access to this sensitive data is a very tall task. And securing the systems against advanced threats is an equally tall task.
But at a minimum, they may want to stop selling identity theft protection services to consumers. It seems to be a conflict of interest, don’t you think?
As for the government and the healthcare exchanges, all they had to do was ask around and they could have easily avoided this latest disaster.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.