Security checks that rely on PII put businesses and consumers at risk

The use of easily obtained personal information as a security check is a major security risk, a notion proven recently by a breach at the IRS

1 2 Page 2
Page 2 of 2

The problem is that Webb's concerns weren't curiosity; the concerns were based on the desire to protect his investment accounts. Instead, the statement dismisses them outright.

"Ideally companies like banks and retail should almost entirely abandon what is called 'out of wallet' type questions. For example, questions that someone would know if they had access to your wallet or publicly known questions," remarked Robert Hansen, VP of WhiteHat Labs at WhiteHat Security when asked for an opinion.

"Instead they should be asking things that they know and you know but an adversary wouldn't know. For instance, a bank could ask, 'Three weeks ago you had a withdrawal of $300 - can you tell us which ATM you used?' or 'Can you tell how much your mortgage payment this month was?' or similar questions."

The use of PII as a security check has to end; it isn't secure and can lead to a number of problems – both for the organization using the outdated protocols and the consumer's victimized because of them.

Yet, consumers as a whole demand easy and quick access to products and services, and require that their experience with the bank or other organization be a pleasant one. When it comes to picking between customer experience and security, the customer wins each and every time. That's the tradeoff.

While PII is a flawed method of security, it's an easy one for consumers to understand and use, which ultimately improves their experience. It isn't pretty, but PII creates a balance between experience and security, and it worked well for many years – but now that balance is gone. The risk is too high in some cases, and consumers are starting to get fed up with the number of times their information has been exposed.

So the task organizations face in the coming years will be to break consumers out of the habit of expecting and using PII as a security check and move them on to something else.

The use of multi-factor authentication, one-time pass codes, and biometrics (thanks to Apple) have put strengthened security options into the hands of the masses, but adoption is still slow.

Until this situation changes, the last four digits of a person's Social Security Number, their mother's maiden name, and their favorite author, will be the keys to their digital kingdom.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)