Breaching the Front Door: Getting through Knowledge Based Authentication
News about data breaches and hacking attempts never seems to stop. The latest is a successful social engineering attempt against British billing service, WHMCS. Thousands of customer passwords and credit card details have been exposed online as a result of the attack.
Interestingly, this wasn’t really a hack. The attackers got into the system under the credentials of the platform’s lead developer, Matt Pugh. The attackers, from the group UGNazi, had provided correct answers to identity verification questions. From there they were able to get administrator credentials from company’s hosting provider and walked through the front door.
When it comes to proving someone is who they say they are, the data matters. If the identity verification questions are secrets that the user is sharing with you, they may have also told Facebook. If it is a behavior based secret, it may be predictable to others or you may not know enough to rely on it.
As Mr. Pugh stated on the company blog, “The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions, and thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details. This means that there was no actual hacking of our server. They were ultimately given the access details.”
Augmenting your Knowledge Based Authentication with a trusted provider of data is a good solution, but only if it actually increases security. Some data sources are too basic, or too overused, to provide the kinds of questions that only the actual person would know the answer to. On the other hand, some questions are too obtrusive or too difficult to answer – even for the real person. The context of the questions matter also. The depth of questioning used with a new applicant coming to a service for the first time is often inappropriate for a returning user. However, as the hosting service for WHMCS found, some questions are just too simplistic no matter what the context is.
Here’s a look at a few different approaches to the data that goes into assuring an identity.
Data Aggregator – Data aggregators purchase basic information from credit bureaus and gather together public data about individuals. They are good at providing low assurance identity solutions for a broad base of the population. If protecting your resources, including personally identifiable information (PII) or personal health information (PHI), is critical to your enterprise, questions and answers that cover true secrets are required. True secrets are not like the information sold to an aggregator when they claim access to “credit data.” The data they own is akin to public records that can be googled and addresses or relationships that can be facebooked. True secrets are in tradeline, income, employment, and utility account history — reliable sources that produce questions that are tough for fraudsters to find the answers to.
Credit Bureau – Credit bureaus have traditionally been the gold standard for high assurance knowledge based authentication. By being a record keeper for all credit decisions, credit bureaus are “cloaked in the common good,” forced to meet an accuracy standard well above the rest of the data being collected today. This accuracy has given them the ability to be uncommonly certain of a credit-leveraging identity. However, today services are being offered through online portals to client bases beyond the credit-leveraging public, undermining the usefulness of the credit file. If the credit bureau only asks credit questions, it can’t verify the 25% of U.S. households, close to 30 million people, who are either unbanked or underbanked, and must resort to lower assurance methods.
Neither – Some organizations choose to have their internal IT department or a third party analytics company to build a Knowledge Based Authentication process from a data set of the company’s choosing. This runs into many problems concerning the accuracy and reliability of the data as well as the completeness of the questions asked. Credit bureaus know their own data and aggregators work hard to find reliable sources within their murky asset pool; completely agnostic analysts may know the science but will have trouble with the “art” of identity.
Both – The best option is to find a provider who has the breadth of a data aggregator with the quality, accuracy, and depth of a credit bureau. This mix is really the only approach to create complete and secure knowledge based authentication. It gives you the most flexibility to authenticate identities across a broad range of people, especially important for services offered to vast populations, or users outside the standard banking community. Questions and answers composed from deep data sources are also the most secure way to protect administrators with extensive access, and resources that include PII, PHI, and financial records.
If you want to talk to the only provider of both, let us know.
Recommended For You
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Hackers. They steal and sell data, especially at the point of sale and during customer acquisition periods. No customer wants […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]
Fraudsters are a smart group. With each fraud prevention method that’s introduced, they figure out ways to work around it. […]