Security blogger Brian Krebs broke a story this week about a cyber underground identity theft service in the business of selling Social Security numbers, birth records, credit and and background reports, and other pertinent, sensitive details of millions of Americans. The potential impact of having those details compromised is massive--which is why that information shouldn't play such a crucial role in establishing or authenticating our online identities.
In his post, Krebs explains how most credit-granting organizations employ knowledge-based authentication (KBA) as a means of determining whether or not an application for credit might be fraudulent. That determination is based largely on how accurately the applicant can answer questions about their own financial and consumer history.
Christopher Bailey, CTO of NuData Security, weighed in with some thoughts about the the impact of the breach on the validity of KBA. "Knowledge of personal details as a means to authenticate customers has been called into question by security experts and analysts for some time. When data-breaches occur, 'private knowledge' reaches the free-market, weakening the authentication method--identity theft and fraud becomes more likely as knowledge based authentication becomes easier to bypass."
In a nutshell, if a criminal can purchase sensitive details about you like your Social Security number and birth date, they can steal your identity. If they can acquire your credit report, which includes your complete credit history, or a background report on you, then they're armed with virtually everything they could possibly need to open accounts in your name and destroy your credit reputation.
"Simply replacing knowledge based authentication is not a solution. Firms must adopt a multi-layered approach to identification and fraud detection," says Bailey. He adds, "Possible solutions range from biometric login methods for authentication to behavior-piercing technology to flag in-session identity theft and anomalous behavior. One thing is clear--a single-layered approach is long obsolete and firms must adapt multiple layers of protection."
This same logic can apply at a lower level than the KBA market as well. Personal details are used as verification questions for a wide range of sites and services. The bottom line is that information is a commodity. It can be learned. It can be researched. It can be inferred or guessed. It can be breached. One way or another, it's possible for crucial information to fall into the wrong hands, which makes relying on knowledge--or at least relying on knowledge alone--a fundamentally flawed method for authenticating an individual.
A biometric control like a fingerprint is at least slightly more difficult to acquire, but even that should not be relied on by itself. The best approach is to require two-factor authentication--possibly combining knowledge and biometrics--so that it's not so easy to steal an identity.