Why Knowledge Based Authentication Is Useless
Knowledge Based Authentication – using information that only you know – used to be a very popular method for validating that you are you. Examples of this are when a customer service agent asks you for your birth date, last four of your social or where you were born. The credit bureaus even sell that as a service to banks and other businesses, which is why, when you call in to your bank, they might ask you extra “security” questions like “you bought a car in 2011; was it a Dodge RAM, Toyota Four Runner, Ford Explorer or Hyundai Sonata”.
To illustrate the uselessness of this charade, the IRS used knowledge based authentication or KBA to make sure that that 100,000 tax returns that hackers got earlier this year only went to the owner. Guess that didn’t work so well.
One purpose of many of the breaches – including, possibly, the OPM and Anthem breaches, is for the hacker community to be able to build massive databases about you so that they can easily and comfortably evade KBA based security. Based on the breaches of 2014 alone, hackers have a lot of information on 200 million Americans.
Assuming you are not a Chinese hacker with access to this massive database, most of the KBA questions can be answered with some effort using information services such as Zillow, Spokeo and even Google.
The IRS tells us that only 100,000 out of 200,000 attempts to steal tax returns were successful. Maybe my memory is failing me, but a 50% score in school was a “F”.
One thing you can do to make this way more difficult for the hackers is to lie. This doesn’t work for organizations buying data from the credit bureaus, because they think they know the right answer, but it does work, quite well, for web sites asking for password reset questions.
If the web site asks “In what city did your parents meet” and the answer is Chicago, you could answer Minneapolis. Better yet, you could answer Ford Explorer. YOU MUST SAVE THE ANSWERS IN YOUR PASSWORD SAFE, otherwise you will drive yourself crazy. If two sites ask that question, you could answer one site “dog biscuit” and the other site “raisens”. Remember, all these sites are doing is matching strings, so they don’t really care what the answer is. Even if you always answer that question “kitchen”, you are making it a LITTLE BIT harder for the hackers.
In this case, being as inconsistent and obtuse as possible is not only fun (if you choose to make it so), but also a lot more secure.
Information for this post came from Federal Computer Weekly.