Expert: Time to stop relying on PII for authentication

Last week, the IRS released an updated damage estimate of the hack of the tax transcript request website -- cyberthieves used the transcripts to file fraudulent returns in order to get their hands on as much as $39 million in tax refunds.

What is more disconcerting, though, is that the hackers made 200,000 attempts at getting into the system -- and succeeded 100,000 times.

That's because the IRS was using a series of personal questions to authenticate identity. Unfortunately, these days, the hackers often know more of our personal details than we know ourselves -- does anyone actually remember the street they lived on five moves ago

[ ALSO ON CSO Deconstructing an IRS Phishing scam ]

There's plenty of other evidence that cybercriminals know way too much about us. For example, when onboarding new Apple Pay users, some bank call centers use personal questions for authentication, allowing criminals to make purchases with stolen credit card numbers.

And much of this information never expires.

"While you can get a new credit card number, you are not going to get a new Social Security number or some of the other user identity sensitive data," said Richard Blech, CEO and co-founder of Secure Channels.

Meanwhile, every new breach just puts more and more data into the hands of the bad guys.

It's time for companies and agencies that use personal information for authentication to switch to more secure methods, said Vidhya Ranganathan, senior vice president of product at security vendor Accellion.

"Two days back, my credit card company called me because I was traveling in Europe, and paid for a cup of coffee in London," she said. "They called me to confirm that it was a legitimate transaction, and that I made it."

That was a good move, she said. The fact that she had access to the phone number that was on file for her account was a pretty good indication that she was who she said she was. "But then they said, can they ask me some questions to confirm who I am I said, 'No.' I'm very scared to give someone these kinds of personally identifiable details. What is the guarantee that the caller isn't a person who's going to get my information and use it for something else"

It is possible for criminals to compromise mobile phones. But the odds that the same criminal gang that got their hands on her credit card number also managed to hijack her phone are low.

A phone call, text message, or SMS would significantly help with security without relying on personally identifiable information.

Many banks have started to keep track of the computers and mobile devices that their customers typically log in from, Ranganathan said.

"And they will say, 'This is a computer we've never seen you on,' and then ask for additional authentication," she said. "I hope that it will become more prevalent."

There are a lot of companies looking to make biometrics easy and reliable, Ranganathan said, though, so far, only fingerprint scanners have reached any significant penetration.

"But there's a lot of research and investment going into it," she said.

Vendors are working on a number of different approach, including voice, face and handwriting recognition, palm prints and ear prints, and iris and retina scans.

Of course, it is possible for hackers to steal biometric information, as well. And while a user can be issued a new password, issuing a new eyeball is more difficult.

It will be important to keep biometric data secure, she said. However, if one particular biometric reading is compromised, a different device will probably read the same feature in a different way, and there are many different biometric measurements that could be taken.

Secure biometric identification, especially when used in combination with another factor, can be extremely effective, she said.

"I hope that it will soon become the norm," she said.

By itself, email isn't the most secure channel, but it can be used in combination with other mechanism to confirm identity or to allow a user to review particular transactions.

In addition, emails can be used to instruct users to log into their accounts or other secure online spaces to receive documents or confirm transactions.

When the IRS transcript system was compromised, the agency turned off the online functionality -- but left available the option for users to request a mailed copy of the transcript.

The document would be mailed to the address the IRS already had on file.

And while identity thieves do occasionally stake out mailboxes and steal mail, this approach isn't likely to scale to any degree.

Other organizations might also consider going back to traditional mail for the most critical but not time-sensitive authentication requirements.

"In some cases, it would probably be OK to do that," she said. "But I haven't seen mail make much of a comeback."

The bottom line, Ranganathan said, is to use multiple authentication methods, and to add different types of mechanisms as security requires.


Maria Korolov

Zur Startseite