The problem of using personal information as a security check has existed for more than a decade, but as the Internet grows and personal data becomes more easily accessible, should such information remain a key security resource?
On Tuesday, the IRS disclosed a data breach affecting 100,000 taxpayers, but the larger issue is that the compromised records were protected by information that's easily obtained by criminals or anyone else who knows what they're looking for. Yet, the IRS isn't alone when it comes to using PII (Personally Identifiable Information) as a security check.
Scott Webb, a Salted Hash reader, recently shared his own personal experiences with the antiquated security practice of using PII as a security check, but he wasn't dealing with the IRS – he was dealing with two banks: Wells Fargo and Delta Community Credit Union (DCCU).
At DCCU, Webb needed help completing an account-to-account (A2A) wire transfer, and the tools available online were buggy. He called customer support to get help with the transaction, but in order to confirm his identity, the support agent asked for the last four digits of his Social Security Number, current address, phone number, and DCCU member number.
Three of the four items are public record in most cases, and the fourth – arguably the most secure of the required verification checks – can be obtained via social engineering.
Later, when he called DCCU to discuss a deposit hold, once more he was required to confirm his name, date of birth, address, and Social Security Number. Again, the PII used as a security check is easily obtained with public records search.
"Yesterday I called them to initiate a wire transfer, a big one. After being asked the same authentication questions (i.e. name, address, last for of SSN) I was transferred to the wire department. The representative asked me the same questions again and then said she needed me to provide an additional level of security. She asked for my debit card number, and after confirming the number, executed the wire transfer," Webb explained via email.
If anything, Webb's example highlights the fact that the process needed to empty a customer's account isn't that challenging for a focused criminal after money.
It's true the customer wouldn't be held responsible for the criminal's actions, but the recovery process can be stressful and long – leaving some without access to money to cover essentials.
Asked for comment, DCCU said they couldn't discuss specific member issues or the Credit Union's security procedures "because of their sensitivity."
"Please know member privacy and account security are our top priorities. We adhere to industry standards in safeguarding our members' personal information and protecting their financial interests. We always welcome member feedback and continuously update our programs and practices to incorporate new tools and technologies."
At Wells Fargo, the problems were almost identical, but at least wire transfers could not be completed via phone.
"Challenge-response questions based on facts about an individual's life are only effective as a method of authentication if the information is known to only a few people (preferably just the two in the conversation)," said Geoff Webb, VP of Product Marketing and Solutions Strategy at Micro Focus.
"However, every time that same set of information gets used (e.g. mother's maiden name, favorite teacher, first pet, etc.) the effectiveness of that information degrades. It's known by more and more people, so it becomes less and less secure. To a degree, we are simply running out of questions that make sense to ask."
During one call with Wells Fargo, the questions asked of Webb included details about a former employer, the state that issued his Social Security Number, and when he purchased his house.
Of the 28 PII-based security questions asked by the bank, only one stood out to him as a decent question: "Which of the following four people have lived with you in the past 5 years?"
But even that question isn't exactly secure, because depending on the options provided, the answer could easily appear on Facebook. One support agent remarked that the security questions were rotated on a regular basis. However, after several calls, on multiple days, Webb never encountered any variation.
Wells Fargo refused to answer a number of directed questions towards their policy of using easily obtained PII as security checks, as well as why the questions were not rotated as advertised by their support staff. Instead, the bank sent the following statement in regards to Webb's concerns:
"We understand that customers are curious about how we verify their identity. Security questions are one of the many tools we rely on to authenticate our customers. We are unable to provide further detail about our fraud prevention measures, as doing so would jeopardize their effectiveness."