Archive for October, 2013

From an IT context, Authentication is the process by which you prove that you are you when trying to login to a system. It can be accomplished by providing something you:

  • know (a password or PIN)
  • have (smart card or security token)
  • are (a biometric reading such as a fingerprint or iris image)

The vast majority of systems rely on the first option — knowledge-based authentication (KBA) — because it’s easier to implement and is presumed to be cheaper. The ease of implementation is pretty obvious since it only takes a few lines of code to ask someone for a password and compare it to what you already have registered for that user in the data base. The assumption on the cost part is more dubious when you take into account the often hidden cost of having to support users with help desk agents to reset passwords at roughly $25 a pop, not to mention the cost of trying to recover from a breach when passwords have been harvested through an attack on the infrastructure or simply guessed by an attacker due to trivial choices by the user.

In an effort to avoid the cost of acquiring and rolling out hardware readers that are typically needed for the other two options, many organizations have taken to doubling down on KBA approaches by asking users to answer additional questions that, presumably, only they would know the answer to. The problem is that most of these questions are poorly chosen and are often not very private in nature (e.g. mother’s maiden name, high school mascot, etc.).

Systems that do a better job by actually digging into your past and asking you to, for instance, identify which of the following addresses are ones that you have lived at and who were the co-signers on the mortgages are a little harder for the bad guys but not impossible since much of that information exists in online public records.

Worse still is news this week that some of these data bases containing this sort of “private” information about you that can be used by credit bureaus and others to establish your identity has been breached.  A reports that:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.

The article goes on to say that compromised data came from systems at Lexis-Nexis, Dun & Bradstreet and Kroll Background America. Assuming this information really is circulating on the Internet it becomes clear that it can’t be relied upon for authentication because it’s no longer something that only the user in question would know — yet another nail in the coffin of KBA systems for anything other than low security applications.

Never mind what the NSA may or may not know about you or Google or Facebook or Apple or any of the other thousands of companies that track us and leverage the power of “Big Data” to try to know us even better than we know ourselves in order to sell us things we didn’t even know we wanted. The real risk of having all your secrets no longer be yours or secret is that now a bad guy can convince your bank, your mortgage company, your stock broker, etc., that he is you because he knows the info that supposedly only you know. Only it just isn’t so…