Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Expert: Time to stop relying on PII for authentication

Maria Korolov | June 16, 2015
Last week, the IRS released an updated damage estimate of the hack of the tax transcript request website -- cyberthieves used the transcripts to file fraudulent returns in order to get their hands on as much as $39 million in tax refunds.

"And they will say, 'This is a computer we've never seen you on,' and then ask for additional authentication," she said. "I hope that it will become more prevalent."

There are a lot of companies looking to make biometrics easy and reliable, Ranganathan said, though, so far, only fingerprint scanners have reached any significant penetration.

"But there's a lot of research and investment going into it," she said.

Vendors are working on a number of different approach, including voice, face and handwriting recognition, palm prints and ear prints, and iris and retina scans.

Of course, it is possible for hackers to steal biometric information, as well. And while a user can be issued a new password, issuing a new eyeball is more difficult.

It will be important to keep biometric data secure, she said. However, if one particular biometric reading is compromised, a different device will probably read the same feature in a different way, and there are many different biometric measurements that could be taken.

Secure biometric identification, especially when used in combination with another factor, can be extremely effective, she said.

"I hope that it will soon become the norm," she said.

By itself, email is not the most secure channel, but it can be used in combination with other mechanism to confirm identity or to allow a user to review particular transactions.

In addition, emails can be used to instruct users to log into their accounts or other secure online spaces to receive documents or confirm transactions.

When the IRS transcript system was compromised, the agency turned off the online functionality -- but left available the option for users to request a mailed copy of the transcript.

The document would be mailed to the address the IRS already had on file.

And while identity thieves do occasionally stake out mailboxes and steal mail, this approach is not likely to scale to any degree.

Other organizations might also consider going back to traditional mail for the most critical but not time-sensitive authentication requirements.

"In some cases, it would probably be OK to do that," she said. "But I haven't seen mail make much of a comeback."

The bottom line, Ranganathan said, is to use multiple authentication methods, and to add different types of mechanisms as security requires.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.