Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Expert: Time to stop relying on PII for authentication

Maria Korolov | June 16, 2015
Last week, the IRS released an updated damage estimate of the hack of the tax transcript request website -- cyberthieves used the transcripts to file fraudulent returns in order to get their hands on as much as $39 million in tax refunds.

Last week, the IRS released an updated damage estimate of the hack of the tax transcript request website -- cyberthieves used the transcripts to file fraudulent returns in order to get their hands on as much as $39 million in tax refunds.

What is more disconcerting, though, is that the hackers made 200,000 attempts at getting into the system -- and succeeded 100,000 times.

That is because the IRS was using a series of personal questions to authenticate identity. Unfortunately, these days, the hackers often know more of our personal details than we know ourselves -- does anyone actually remember the street they lived on five moves ago?

There is plenty of other evidence that cybercriminals know way too much about us. For example, when onboarding new Apple Pay users, some bank call centers use personal questions for authentication, allowing criminals to make purchases with stolen credit card numbers.

And much of this information never expires.

"While you can get a new credit card number, you are not going to get a new Social Security number or some of the other user identity sensitive data," said Richard Blech, CEO and co-founder of Secure Channels.

Meanwhile, every new breach just puts more and more data into the hands of the bad guys.

"It's time for companies and agencies that use personal information for authentication to switch to more secure methods," said Vidhya Ranganathan, senior vice president of product at security vendor Accellion.

"Two days back, my credit card company called me because I was traveling in Europe, and paid for a cup of coffee in London," she said. "They called me to confirm that it was a legitimate transaction, and that I made it."

That was a good move, she said. The fact that she had access to the phone number that was on file for her account was a pretty good indication that she was who she said she was. "But then they said, can they ask me some questions to confirm who I am? I said, 'No.' I'm very scared to give someone these kinds of personally identifiable details. What is the guarantee that the caller isn't a person who's going to get my information and use it for something else?"

It is possible for criminals to compromise mobile phones. But the odds that the same criminal gang that got their hands on her credit card number also managed to hijack her phone are low.

A phone call, text message, or SMS would significantly help with security without relying on personally identifiable information.

Many banks have started to keep track of the computers and mobile devices that their customers typically log in from, Ranganathan said.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.