Security blogger/researcher Brian Krebs broke a story recently about a cyber underground identity theft service in the business of selling Social Security numbers, birth records, credit and and background reports, and other pertinent, sensitive details of millions of Americans. The potential impact of having those details compromised is massive–which is why that information shouldn’t play such a crucial role in establishing or authenticating our online identities.
Krebs explains how most credit-granting organizations employ knowledge-based authentication (KBA) as a means of determining whether or not an application for credit might be fraudulent. That determination is based largely on how accurately the applicant can answer questions about their own financial and consumer history. Christopher Bailey, NuData Security, said,”Knowledge of personal details as a means to authenticate customers has been questioned by security experts and analysts for some time. When data-breaches occur, ‘private knowledge’ reaches the free-market, weakening the authentication method–identity theft and fraud becomes more likely as knowledge based authentication becomes easier to bypass.”
If criminals can acquire your credit report, which includes your complete credit history, or a background report on you, then they’re armed with virtually everything they could possibly need to open accounts in your name and destroy your credit reputation.
“Simply replacing knowledge based authentication is not a solution. Firms must adopt a multi-layered approach to identification and fraud detection,” says Bailey. The best approach is to require two-factor authentication–possibly combining knowledge and biometrics–so that it’s not so easy to steal an identity.