Gartner Blog Network

The little known secret of knowledge based authentication and why it fails so often

by Avivah Litan  |  June 17, 2010  |  3 Comments

Banks and other companies who rely on knowledge based authentication – the process that asks users ‘secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times. These are those questions where you have to scratch your head and jog your memory, i.e. what was that first car you drove, what year was your mother in fact born (she didn’t like to talk about it), which back-end financial services company now owns your loan etc. etc.

I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.

Last week, I learned the answer at a conference on fraud.  It’s not rocket science. The crooks aren’t phishing the end-users for the questions/answers and they aren’t sitting there with software in a user’s browser ready to pounce and capture the knowledge based authentication question/answer session when it is invoked by a bank or other service provider.

What the crooks are doing is spear-phishing employees who work at the public data aggregators that provide the original data and knowledge based authentication systems used to authenticate users. They simply get access to these employees accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.

It’s a very serious problem that deserves a serious solution.   It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on The little known secret of knowledge based authentication and why it fails so often

  1. I have no doubt that this can and, based on what you report, has happened. But to redirect attention away from user-targeted phishing, man-in-the-middle, or guessing attacks goes against my instincts.

    I assume you would have shared statistics if they had been shared with you, but my experience has been that the three attacks I cite are a more frequent threat than a hacked service provider. Especially when (again, in my experience) most organizations using knowledge based authentication are relying on home-grown solutions with no service provider involved.

    Can you provide more insight regarding why you’re now convinced this is such a widespread problem?

  2. Ajay Solanki says:

    Get real we are in the computer age, knowledge based authentication often fails and falls to fraudster as the knowledge element is completed missed out. In the event of remember secret question we as human tend to put in simple questions like which was my first school and the challenge with this line of questioning is anyone can pull the 10 most common questions used as secret question.
    We are anyways not in the star wars era where i can use a different nature of knowledge a dna strand analyzing device.
    Its time where knowledge based authentication use a different type of knowledge to ensure that fraudster dont get in the way and at the same not complicate things too much. Probably another business opportunity.

  3. Robert Lee says:

    \Something you know\ is only valid for authentication if it is a shared secret. When it’s not a secret, it’s useless.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.