Banks and other companies who rely on knowledge based authentication – the process that asks users ‘secret’ questions that only the legitimate can presumably answer – are in a quandry because fraudsters are answering those questions successfully all too many times. These are those questions where you have to scratch your head and jog your memory, i.e. what was that first car you drove, what year was your mother in fact born (she didn’t like to talk about it), which back-end financial services company now owns your loan etc. etc.
I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them.
Last week, I learned the answer at a conference on fraud. It’s not rocket science. The crooks aren’t phishing the end-users for the questions/answers and they aren’t sitting there with software in a user’s browser ready to pounce and capture the knowledge based authentication question/answer session when it is invoked by a bank or other service provider.
What the crooks are doing is spear-phishing employees who work at the public data aggregators that provide the original data and knowledge based authentication systems used to authenticate users. They simply get access to these employees accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus.
It’s a very serious problem that deserves a serious solution. It will be solved but it will take time. In the meantime, service providers cannot count on the veracity and reliability of the process to indeed authenticate the ‘right’ and legitimate individual.