Hack of major data brokers weakens bank authentication

The reported hack of major consumer and business data aggregators has intensified doubts of the reliability of knowledge-based authentication widely used in the financial services industry, analysts say.

The computer systems of LexisNexis, Dun & Bradstreet and Kroll Background America were hacked by an underground identity theft service that sells social security numbers, birth records, credit and background reports on millions of Americans, Brian Krebs, a former Washington Post reporter and author of the KrebsonSecurity blog reported on Wednesday. Krebs uncovered the hack following a seven-month investigation of the criminal site ssndob[dot]ms.

The hack is significant because of the wealth of personally identifiable information (PII) collected by the three companies.

LexisNexis operates one of the largest electronic databases for legal and public-records related information. Dun & Bradstreet licenses information on businesses and corporations for use in credit decisions, and Kroll provides information to companies for employment and drug and health screening.

The amount of data stolen was not known, however, ssndob files uncovered by Krebs indicated the service had access to the companies’ computer systems from three to six months.

“This is a very serious breach and is much more significant than the mass credit card breaches we have been hearing about over the past few years,” Avivah Litan, an analyst with Gartner, told CSOonline.

[Also see: Cybercriminals shift focus to bank employees]

While banks usually cover losses from credit-card fraud, the damage caused by crooks using people’s PII is not so easily fixed. To authenticate people applying for credit, loans, mortgages and other financial services, banks will ask questions based on information in records compiled by data brokers.

The latest breaches raise more doubt on the effectiveness of so-called knowledge-based authentication (KBA), which banks already knew was becoming increasingly less reliable.

“This breach will definitely and seriously undermine trust in KBA among financial services companies who understand the implications and have to deal with them every day,” Litan said. “The banks already knew KBA was broken in part, and now they will be incented to move much more quickly into alternatives.”

Indeed, financial institutions will have to move beyond using a single source for information on loan applicants. “This marks the beginning of an era in which identity proofing, verification and vetting information will have to be sourced from multiple sources and providers,” said Andras Cser, an analyst for Forrester Research.

In a study released a year ago, Gartner said its clients reported an average failure rate of 10% to 15% on KBA that relied on public data, such as credit bureau or driver’s license records. Fraud contributed to the failure rate, along with wrong information or people forgetting the answers to questions.

To better protect against fraud, Gartner recommends a “layered approach” for identity proofing that includes several verification methods, including the use of internal information, which has proven more reliable than data gathered by aggregators of public records.

For websites that use KBA for people who have forgotten passwords, Cser recommended also using technology that can identify the accessing device and link it to the customer. Vendors include iovation, ThreatMetrix and 41st Parameter, he said.

Other alternative authentication services include those that specialize in vetting customer-provided data in loan and credit applications and online registration, Cser said. Service providers include ID Analytics.