Blog post

The little known secret of knowledge based authentication and why it fails so often

By Avivah Litan | June 17, 2010 | 3 Comments

Banks and other companies who rely on knowledge based authentication – the process that asks users ‘secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times. These are those questions where you have to scratch your head and jog your memory, i.e. what was that first car you drove, what year was your mother in fact born (she didn’t like to talk about it), which back-end financial services company now owns your loan etc. etc.

I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.

Last week, I learned the answer at a conference on fraud.  It’s not rocket science. The crooks aren’t phishing the end-users for the questions/answers and they aren’t sitting there with software in a user’s browser ready to pounce and capture the knowledge based authentication question/answer session when it is invoked by a bank or other service provider.

What the crooks are doing is spear-phishing employees who work at the public data aggregators that provide the original data and knowledge based authentication systems used to authenticate users. They simply get access to these employees accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.

It’s a very serious problem that deserves a serious solution.   It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • I have no doubt that this can and, based on what you report, has happened. But to redirect attention away from user-targeted phishing, man-in-the-middle, or guessing attacks goes against my instincts.

    I assume you would have shared statistics if they had been shared with you, but my experience has been that the three attacks I cite are a more frequent threat than a hacked service provider. Especially when (again, in my experience) most organizations using knowledge based authentication are relying on home-grown solutions with no service provider involved.

    Can you provide more insight regarding why you’re now convinced this is such a widespread problem?

  • Ajay Solanki says:

    Get real we are in the computer age, knowledge based authentication often fails and falls to fraudster as the knowledge element is completed missed out. In the event of remember secret question we as human tend to put in simple questions like which was my first school and the challenge with this line of questioning is anyone can pull the 10 most common questions used as secret question.
    We are anyways not in the star wars era where i can use a different nature of knowledge a dna strand analyzing device.
    Its time where knowledge based authentication use a different type of knowledge to ensure that fraudster dont get in the way and at the same not complicate things too much. Probably another business opportunity.

  • Robert Lee says:

    \Something you know\ is only valid for authentication if it is a shared secret. When it’s not a secret, it’s useless.