Experian acquisition of 41st Parameter underscores KBA weakness

Experian’s October 1 announcement that it acquired web fraud detection vendor The 41st Parameter for $324 million underscores the weakness of knowledge based authentication or KBA. Experian sells KBA to companies verifying identities of consumers conducting high-risk transactions. KBA systems are under siege and a systematic compromise of these applications was recently uncovered by security blogger Brian Krebs. See our previous blog on this as well as krebsonsecurity.com

Although Experian was not part of the uncovered botnet-based infiltration, the so called secret questions and answers used across most major KBA vendors such as Experian and LexisNexis are typically the same. As noted previously, KBA has — on average — a 10-15% failure rate which can go much higher and up to 30% in certain populations such as new immigrants or young students. Most KBA failures are legitimate individuals who can’t successfully answer the secret ‘out-of-wallet’ questions or for whom there is not enough data to ask any. At the same time, criminals who buy this information on the black market have no trouble answering them perfectly. (See our September 2012 research note G00237377 “When Knowledge-Based Authentication Fails, and What You Can Do About It”).

No doubt, Experian saw the handwriting on the wall and wanted to avert these systemic problems, especially after it won part of a $80 million contract to verify ObamaCare applicants using KBA. See bobsullivan.net By purchasing the 41st Parameter at a healthy multiple (the 41st’s 2012 revenues were just about $20 million), Experian acquires much needed technology to help screen new accounts and verify identities. The 41st Parameter pioneered the introduction of server-based device identification, which is used extensively by banks and online merchants, when it was founded in 2004. It also patented its “TDL” (time differential linking) technology that complements device identification by measuring the time differential between a server and a client device, an especially useful technique for identifying iOS mobile users where device ID is essentially useless.

Aside from device ID, the 41st has populated a database of linkages (scored for risk) across devices, email addresses, phone numbers, credit cards and other data used for ecommerce shopping, by leveraging information it already collects from its extensive ecommerce merchant base (See G00247632 ”Magic Quadrant on Web Fraud Detection”). Assuming the 41st’s customers keep this data up to date and relevant (for example by marking an attribute such as a device ID as associated with fraud), this database will be very useful for Experian when it comes to assessing the validity of an identity (see G00239627 “The Four Layers of Identity Proofing Lead to Stronger Identity Verification”). In theory it should go a long way to improving Experian’s ability to detect bad guys trying to disguise themselves as good ones, while simultaneously identifying the good ones and letting them in without too much hassle.

Of course none of these identity verification methods are foolproof – plus it’s important to note that technology from The 41st only works with online and mobile transactions and not with in-person or on-the-phone transactions.

Yesterday I heard a somewhat funny story from a banker colleague about criminals pretending to be deaf and therefore ‘forced’ to use a “Service for Handicapped individuals” to call their bank’s call center. The criminal was trying to impersonate a legitimate deaf user whose account he was trying to take over. The criminal communicated (via a keyboard) to the rep at the Handicap service, who then called the bank’s call center agent to convey his request to withdraw money from the target victim’s account. When the call center agent started trying to verify the requestor’s identity, the criminal couldn’t answer the KBA questions correctly (obviously he didn’t know how to buy the answers on the black market) so the agent would not honor his money transfer request. The fraudster then started cussing the agent out by typing messages to the Handicap service rep who then told the agent she was obligated by law to relay to the agent the four letter words being cited by her customer).

Buying The 41st won’t solve all of these identity proofing challenges, but all in all it is a good move for Experian. And of course happy days are finally here for The 41st Parameter’s shareholders who join the growing club of web fraud detection vendors earning hefty multiples by selling out to large acquiring companies. (See recent acquisitions of Silvertail Systems, Trusteer, and Versafe, all in less than a year). Let’s hope it’s a also a good move for Obamacare and Experian customers.