Report: D&B, LexisNexis, Kroll HackedDoubts Raised About Veracity of Knowledge-Based Authentication
A report that hackers allegedly trafficking in personally identifiable information have breached the computers of three major data aggregators raises doubts about the use of knowledge-based authentication as a tool to verify an individual's identity.
A seven-month investigation by security blogger Brian Krebs reveals that an organization known as SSNDOB compromised the computers of information aggregators Dun & Bradstreet, LexisNexis and Kroll Background America, which maintain records on millions of Americans that can be used to support knowledge-based authentication.
SSNDOB for the past two years has marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up Social Security numbers, birthdays and other personal data on any U.S. resident for prices ranging from 50 cents to $2.50 a record and $5 to $15 for credit checks, Krebs reports.
Impact of the Breaches
Avivah Litan, an analyst at the consultancy Gartner, says the report "makes it crystal clear" that organizations should not rely on knowledge-based authentication to verify identity.
"Criminals can get their hands on anyone's KBA [knowledge-based authentication] or identity information through the black market exchanges that Krebs writes about," Litan writes in her blog.
Michael Versace, global director at IDC Financial Insight, says databases of personal information, such as those reportedly breached, become bigger targets for attack as they grow. But, he says, it's not just the threat of a breach that is weakening the effectiveness of knowledge-based authentication.
"As more personal information enters the market, more will have knowledge of these personal details, and less details remain personal," he says. "And, frustrated end-users become less likely to protect personal details as they become aware of how widely available personal data has become."
Still, Litan says it is difficult for organizations to wean themselves from knowledge-based authentication. "There are no readily available alternatives that work as technically easily as KBA does," she says. "Biometrics anyone?"
Role of Biometrics
Versace says biometric authentication makes sense in certain applications, although more needs to be done to protect biometric information. "We run the risk of running into the same problems as KBA," he says, citing recent hacks against the Apple's iOS 7 operating system and the iPhone 5, which includes biometrics.
An alternative, he suggests: Adaptive authentication that relies on real-time behavior, such as identifying a user who's accessing a system from a known location.
Kroll issued a statement saying it's working with outside independent computer forensics experts who are investigating the source of the breach and accessing any adverse impact, if any. LexisNexis confirmed to Krebs that two of its public-facing web servers had been compromised. Krebs reports that Dun & Bradstreet Chief Technology Officer Elliot Glazer said the company is aggressively investigating the matter.
In his report, Krebs says SSNDOB's database was attacked this summer by multiple attackers, and he received a copy of the database, which he reviewed. He says the database shows that the site's 1,300 customers have spent hundreds of thousands of dollars looking up Social Security numbers, birthdays, drivers' license records, and obtaining unauthorized credit and background reports on more than 4 million Americans.
Krebs says an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet. "This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States," he writes. "The botnet's Web-based interface indicated that the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators."
Tracy Kitten contributed to this report.