Security checks that rely on PII put businesses and consumers at risk

The problem of using personal information as a security check has existed for more than a decade, but as the Internet grows and personal data becomes more easily accessible, should such information remain a key security resource?

On Tuesday, the IRS disclosed a data breach affecting 100,000 taxpayers, but the larger issue is that the compromised records were protected by information that’s easily obtained by criminals or anyone else who knows what they’re looking for. Yet, the IRS isn’t alone when it comes to using PII (Personally Identifiable Information) as a security check.

Scott Webb, a Salted Hash reader, recently shared his own personal experiences with the antiquated security practice of using PII as a security check, but he wasn’t dealing with the IRS – he was dealing with two banks: Wells Fargo and Delta Community Credit Union (DCCU).

At DCCU, Webb needed help completing an account-to-account (A2A) wire transfer, and the tools available online were buggy. He called customer support to get help with the transaction, but in order to confirm his identity, the support agent asked for the last four digits of his Social Security Number, current address, phone number, and DCCU member number.

Three of the four items are public record in most cases, and the fourth – arguably the most secure of the required verification checks – can be obtained via social engineering.

Later, when he called DCCU to discuss a deposit hold, once more he was required to confirm his name, date of birth, address, and Social Security Number. Again, the PII used as a security check is easily obtained with public records search.

“Yesterday I called them to initiate a wire transfer, a big one. After being asked the same authentication questions (i.e. name, address, last for of SSN) I was transferred to the wire department. The representative asked me the same questions again and then said she needed me to provide an additional level of security. She asked for my debit card number, and after confirming the number, executed the wire transfer,” Webb explained via email.

If anything, Webb’s example highlights the fact that the process needed to empty a customer’s account isn’t that challenging for a focused criminal after money.

It’s true the customer wouldn’t be held responsible for the criminal’s actions, but the recovery process can be stressful and long – leaving some without access to money to cover essentials.

Asked for comment, DCCU said they couldn’t discuss specific member issues or the Credit Union’s security procedures “because of their sensitivity.”

“Please know member privacy and account security are our top priorities. We adhere to industry standards in safeguarding our members’ personal information and protecting their financial interests. We always welcome member feedback and continuously update our programs and practices to incorporate new tools and technologies.”

At Wells Fargo, the problems were almost identical, but at least wire transfers could not be completed via phone.

“Challenge-response questions based on facts about an individual’s life are only effective as a method of authentication if the information is known to only a few people (preferably just the two in the conversation),” said Geoff Webb, VP of Product Marketing and Solutions Strategy at Micro Focus.

“However, every time that same set of information gets used (e.g. mother’s maiden name, favorite teacher, first pet, etc.) the effectiveness of that information degrades. It’s known by more and more people, so it becomes less and less secure. To a degree, we are simply running out of questions that make sense to ask.”

During one call with Wells Fargo, the questions asked of Webb included details about a former employer, the state that issued his Social Security Number, and when he purchased his house.

Of the 28 PII-based security questions asked by the bank, only one stood out to him as a decent question: “Which of the following four people have lived with you in the past 5 years?”

But even that question isn’t exactly secure, because depending on the options provided, the answer could easily appear on Facebook. One support agent remarked that the security questions were rotated on a regular basis. However, after several calls, on multiple days, Webb never encountered any variation.

Wells Fargo refused to answer a number of directed questions towards their policy of using easily obtained PII as security checks, as well as why the questions were not rotated as advertised by their support staff. Instead, the bank sent the following statement in regards to Webb’s concerns:

“We understand that customers are curious about how we verify their identity. Security questions are one of the many tools we rely on to authenticate our customers. We are unable to provide further detail about our fraud prevention measures, as doing so would jeopardize their effectiveness.”

The problem is that Webb’s concerns weren’t curiosity; the concerns were based on the desire to protect his investment accounts. Instead, the statement dismisses them outright.

“Ideally companies like banks and retail should almost entirely abandon what is called ‘out of wallet’ type questions. For example, questions that someone would know if they had access to your wallet or publicly known questions,” remarked Robert Hansen, VP of WhiteHat Labs at WhiteHat Security when asked for an opinion.

“Instead they should be asking things that they know and you know but an adversary wouldn’t know. For instance, a bank could ask, ‘Three weeks ago you had a withdrawal of $300 – can you tell us which ATM you used?’ or ‘Can you tell how much your mortgage payment this month was?’ or similar questions.”

The use of PII as a security check has to end; it isn’t secure and can lead to a number of problems – both for the organization using the outdated protocols and the consumer’s victimized because of them.

Yet, consumers as a whole demand easy and quick access to products and services, and require that their experience with the bank or other organization be a pleasant one. When it comes to picking between customer experience and security, the customer wins each and every time. That’s the tradeoff.

While PII is a flawed method of security, it’s an easy one for consumers to understand and use, which ultimately improves their experience. It isn’t pretty, but PII creates a balance between experience and security, and it worked well for many years – but now that balance is gone. The risk is too high in some cases, and consumers are starting to get fed up with the number of times their information has been exposed.

So the task organizations face in the coming years will be to break consumers out of the habit of expecting and using PII as a security check and move them on to something else.

The use of multi-factor authentication, one-time pass codes, and biometrics (thanks to Apple) have put strengthened security options into the hands of the masses, but adoption is still slow.

Until this situation changes, the last four digits of a person’s Social Security Number, their mother’s maiden name, and their favorite author, will be the keys to their digital kingdom.