“Secrets based” authentication based off of your customer’s static PII today alone, is useless.
With the addition of another massive data breach earlier this week of over 340M individual records of consumer and businesses with consumer profiles and preferences from a market data aggregation firm, consumer’s secrets are now fully exposed.
Identifying data like the number of children you have, their gender, dog or cat ownership smoking preference, scuba certification, as well as the typical identifying data like name, address, birth date, phone numbers, are no longer secret.
As an American consumer, if you’re asking: “Is my personal information available for sale on the dark web?”. You are years too late. The question you should be asking yourself instead is: “How much and how detailed is my exposed personal information available to someone with unscrupulous morals?”. The fact is, that today, it is actually more likely than not that your personal information is accessible on the dark web.
The effects of the recent market data aggregation firm’s breach
There were 340M individual consumer and business records that were released. When you consider there are only 327M adults in the US, that number seems staggering. Combined with last year’s headline-grabbing credit bureau breach of over 145 million records released some including social security and driver’s license numbers, “secrets based” authentication is utterly useless. Nearly every American now has a detailed profile of their hobbies, family structure, birthdays and health habits available for sale on the dark web.
Knowledge Based Authentication (KBA’s) are ineffective at deterring fraudsters from usurping identities in the voice channel and KBA’s alone, should not be considered an effective form of authentication. The answers to those secret questions to confirm your identity can theoretically be accessed by the 2 million people accessing the dark web each day.
Recommendations to keep your customer’s identity secure
These latest headlines serve as a reminder that identity verification needs to go beyond asking secrets whether online or over the voice channel. Consider how you are protecting each customer access point that uses secret based security. You are likely using knowledge to verify your customer’s identity that is easily obtained by a simple web search.
To learn about how recent data breaches can impact your business, check out our webinar “Why Recent Data Breaches Don’t Matter to Your Enterprise”