Hack of major data brokers weakens bank authentication

The reported hack of major consumer and business data aggregators has intensified doubts of the reliability of knowledge-based authentication widely used in the financial services industry, analysts say.

The computer systems of LexisNexis, Dun & Bradstreet and Kroll Background America were hacked by an underground identity theft service that sells social security numbers, birth records, credit and background reports on millions of Americans, Brian Krebs, a former Washington Post reporter and author of the KrebsonSecurity blog reported on Wednesday. Krebs uncovered the hack following a seven-month investigation of the criminal site ssndob[dot]ms.

The hack is significant because of the wealth of personally identifiable information (PII) collected by the three companies.

LexisNexis operates one of the largest electronic databases for legal and public-records related information. Dun & Bradstreet licenses information on businesses and corporations for use in credit decisions, and Kroll provides information to companies for employment and drug and health screening.

The amount of data stolen was not known, however, ssndob files uncovered by Krebs indicated the service had access to the companies' computer systems from three to six months.

"This is a very serious breach and is much more significant than the mass credit card breaches we have been hearing about over the past few years," Avivah Litan, an analyst with Gartner, told CSOonline.

[Also see: Cybercriminals shift focus to bank employees]

While banks usually cover losses from credit-card fraud, the damage caused by crooks using people's PII is not so easily fixed. To authenticate people applying for credit, loans, mortgages and other financial services, banks will ask questions based on information in records compiled by data brokers.

The latest breaches raise more doubt on the effectiveness of so-called knowledge-based authentication (KBA), which banks already knew was becoming increasingly less reliable.

"This breach will definitely and seriously undermine trust in KBA among financial services companies who understand the implications and have to deal with them every day," Litan said. "The banks already knew KBA was broken in part, and now they will be incented to move much more quickly into alternatives."

Indeed, financial institutions will have to move beyond using a single source for information on loan applicants. "This marks the beginning of an era in which identity proofing, verification and vetting information will have to be sourced from multiple sources and providers," said Andras Cser, an analyst for Forrester Research.

In a study released a year ago, Gartner said its clients reported an average failure rate of 10% to 15% on KBA that relied on public data, such as credit bureau or driver's license records. Fraud contributed to the failure rate, along with wrong information or people forgetting the answers to questions.

To better protect against fraud, Gartner recommends a "layered approach" for identity proofing that includes several verification methods, including the use of internal information, which has proven more reliable than data gathered by aggregators of public records.

For websites that use KBA for people who have forgotten passwords, Cser recommended also using technology that can identify the accessing device and link it to the customer. Vendors include iovation, ThreatMetrix and 41st Parameter, he said.

Other alternative authentication services include those that specialize in vetting customer-provided data in loan and credit applications and online registration, Cser said. Service providers include ID Analytics.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityknowledge-based authenticationlexisnexisbank securitywashington postsoftwareData Protection | Network Securitydata protectionKBAKroll

More about BradstreetForrester ResearchGartnerKroll

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place