PINDROP BLOG

Data Breaches: The Death Knell of KBA

In the 1930s, the United States introduced Social Security Numbers to keep track of workers’ wages and their Social Security Program contributions. Today, the private sector uses Social Security Numbers as a unique identifier for consumers and the primary means of gathering information on individuals. Our society is comfortable using this identifier when applying for home loans, credit cards, utilities, and even government benefits.

The most recent breach in the headlines has exposed nearly half the U.S. population’s Social Security Numbers, dates of birth, addresses, and in some cases, driver’s licenses and credit card numbers. This breach combined with the 1.9 billion records released from other data breaches in first half of 2017 and 4 billion plus records released in 2016, marks the end of assuming our personal information is NOT for sale to highest bidding fraudster.

As fraudsters purchase and verify your personal data, it is used to impersonate you online and over the phone. The largest targets for fraudsters to use their newly assumed identities to extract money are the finance, retail, healthcare and public sectors. These institutions bear the responsibility of verifying individuals and keeping fraudsters at bay. Ironically, a common authentication practice, knowledge based authentication (KBA), often relies on the same information exposed in most breaches. So what happens when a unique identifier is no longer unique? That means the key to a lock is possessed by both the good guys and the bad guys, rendering the lock in-effective.

This is why this most recent breach should signal the use of KBA questions are no longer a relevant form of authentication. Businesses must assume that fraudsters have the exact same knowledge of personal information as their customers. Effective protection against fraud means eschewing question and answer sessions for authentication and using means that customers, and therefore fraudsters, cannot control. Businesses have been using KBA, even if they know it’s a weak or ineffective security practices , but now should have no doubt whether this practice should still be considered.

Eliminating use of the Social Security Numbers has been discussed for years, now with data breaches making consistent headlines and the White House Cybersecurity division in agreement, businesses should move to eliminate Social Security Numbers as an identifier. Continuing to use KBA question and answers sessions for authentication will become a beacon to fraudsters. Fraudsters will exploit any vulnerability they can, including the lack of effective security in the call center.

This latest reminder of the impact cyber criminals and fraudsters can have on organizations signals that the removal of knowledge based authentication is a top priority. Call center security is rarely top of mind for organizations, but these latest breach headlines indicate it is time to reassess current practices surrounding authentication and fraud protection.