Expert: Time to stop relying on PII for authentication

Last week, the IRS released an updated damage estimate of the hack of the tax transcript request website -- cyberthieves used the transcripts to file fraudulent returns in order to get their hands on as much as $39 million in tax refunds.

What is more disconcerting, though, is that the hackers made 200,000 attempts at getting into the system -- and succeeded 100,000 times.

That's because the IRS was using a series of personal questions to authenticate identity. Unfortunately, these days, the hackers often know more of our personal details than we know ourselves -- does anyone actually remember the street they lived on five moves ago?

[ ALSO ON CSO Deconstructing an IRS Phishing scam ]

There's plenty of other evidence that cybercriminals know way too much about us. For example, when onboarding new Apple Pay users, some bank call centers use personal questions for authentication, allowing criminals to make purchases with stolen credit card numbers.

And much of this information never expires.

"While you can get a new credit card number, you are not going to get a new Social Security number or some of the other user identity sensitive data," said Richard Blech, CEO and co-founder of Secure Channels.

Meanwhile, every new breach just puts more and more data into the hands of the bad guys.

It's time for companies and agencies that use personal information for authentication to switch to more secure methods, said Vidhya Ranganathan, senior vice president of product at security vendor Accellion.

"Two days back, my credit card company called me because I was traveling in Europe, and paid for a cup of coffee in London," she said. "They called me to confirm that it was a legitimate transaction, and that I made it."

That was a good move, she said. The fact that she had access to the phone number that was on file for her account was a pretty good indication that she was who she said she was. "But then they said, can they ask me some questions to confirm who I am? I said, 'No.' I'm very scared to give someone these kinds of personally identifiable details. What is the guarantee that the caller isn't a person who's going to get my information and use it for something else?"

It is possible for criminals to compromise mobile phones. But the odds that the same criminal gang that got their hands on her credit card number also managed to hijack her phone are low.

A phone call, text message, or SMS would significantly help with security without relying on personally identifiable information.

Many banks have started to keep track of the computers and mobile devices that their customers typically log in from, Ranganathan said.

"And they will say, 'This is a computer we've never seen you on,' and then ask for additional authentication," she said. "I hope that it will become more prevalent."

There are a lot of companies looking to make biometrics easy and reliable, Ranganathan said, though, so far, only fingerprint scanners have reached any significant penetration.

"But there's a lot of research and investment going into it," she said.

Vendors are working on a number of different approach, including voice, face and handwriting recognition, palm prints and ear prints, and iris and retina scans.

Of course, it is possible for hackers to steal biometric information, as well. And while a user can be issued a new password, issuing a new eyeball is more difficult.

It will be important to keep biometric data secure, she said. However, if one particular biometric reading is compromised, a different device will probably read the same feature in a different way, and there are many different biometric measurements that could be taken.

Secure biometric identification, especially when used in combination with another factor, can be extremely effective, she said.

"I hope that it will soon become the norm," she said.

By itself, email isn't the most secure channel, but it can be used in combination with other mechanism to confirm identity or to allow a user to review particular transactions.

In addition, emails can be used to instruct users to log into their accounts or other secure online spaces to receive documents or confirm transactions.

When the IRS transcript system was compromised, the agency turned off the online functionality -- but left available the option for users to request a mailed copy of the transcript.

The document would be mailed to the address the IRS already had on file.

And while identity thieves do occasionally stake out mailboxes and steal mail, this approach isn't likely to scale to any degree.

Other organizations might also consider going back to traditional mail for the most critical but not time-sensitive authentication requirements.

"In some cases, it would probably be OK to do that," she said. "But I haven't seen mail make much of a comeback."

The bottom line, Ranganathan said, is to use multiple authentication methods, and to add different types of mechanisms as security requires.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleIRSsecurityAccess control and authenticationCSOIdentity & Access

More about AccellionAppleCSOIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts