Authentication: The Thieves Already Know the Answers
High profile attacks on federal government information systems have dominated the headlines in recent weeks. While the tactics used to execute these attacks vary, they share a common and unfortunate root cause – our widespread over-dependence on supposed “private” information as an authentication control. In the case of the Office of Personnel Management (OPM) attack in which somewhere between four million and potentially eighteen million identities were purportedly stolen, the point of compromise is believed to be the password from a Privileged User account held by a government contractor. In the attack reported by the IRS a few weeks ago, hackers gained access to over one hundred thousand taxpayer accounts by breezing through every cyber criminal’s new favorite control to beat up on, knowledge-based authentication.
In both of these cases, there was a smaller-scale information compromise leading to a much bigger and uglier one. With the OPM breach, a password was stolen in order to unlock the mother lode of federal employee data. In the IRS breach, a prior compromise of personal information likely led the way for the bad actors to successfully answer out-of-wallet questions for over one hundred thousand innocent victims. And therein lies the problem. When we rely exclusively on knowledge-based authentication controls using information assumed to be “private,” we are defenseless once that information is no longer as private as we once thought. As a result, our secured systems topple like dominoes, and sadly there is no end in sight. Private information harvested from one breach is used to perpetrate the next breach, and so the vicious cycle continues.
The OPM incident aside, passwords as a security control have generally been put in their place by the information security community over the past few years, and rightly so. But it seems we’ve been slower to recognize the same inherent vulnerabilities with knowledge-based authentication. After all, isn’t knowledge-based authentication essentially a fancier variation of the password?
Because of these massive compromises, we can no longer protect our most sensitive information systems by simply betting on the secrecy of other sensitive information like passwords or out-of-wallet information. In today’s data breach paradigm, the risk of that information already being compromised is simply too high. The backlash from these catastrophic breaches will surely elicit a reaction from the highest levels of government. Inevitably, some of that reaction will be political gamesmanship. But let’s hope that if nothing else, we will finally take these threats seriously and diversify our set of controls beyond the status quo of the last decade.
In the coming weeks we will examine what happens next. Specifically, we will describe how fraudsters will leverage this newly discovered treasure trove of consumer information to mount attacks against the financial system. Stay tuned.
Written by Matt Schraan
Vice President, Product Development and Client Solutions
Matt has dedicated his professional life to building products that reduce fraud risk, meet compliance requirements, and maximize value from fraud detection techniques. He has presented at numerous industry conferences on counter-fraud topics such as account takeover, application fraud, identity verification, and compliance strategies.