More than three years ago Gartner VP and distinguished analyst Avivah Litan postulated knowledge based authentication (kba – the method favored by financial organizations to verify identity) is broken. KBA allows the financial services company to authenticate an individual based on the applicant's knowledge of a range of personal details. But, she wrote, "I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them."
Her conclusion was that employees at the big public data aggregators had been phished. The criminals "simply get access to these employees accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge based authentication systems and processes based on external data from public data aggregators and the credit bureaus."
Now security researcher Brian Krebs has provided evidence indicating that she was probably not wrong; but that the whole process has been converted into a criminal personal data service. "The Website ssndob[dot]ms... has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident."
Like Litan before him, he did not at first know how or from where the data for sale was obtained. Earlier this summer, however, ssndob was itself hacked – and Krebs got hold of a copy of its database. It did not show the source of the data, referring merely to DB1, DB2 and so on. But subsequent analysis indicated that the ssndob administrators controlled a small botnet that in turn "controlled at least five infected systems at different U.S.-based consumer and business data aggregators."
Two of the systems were inside the networks of LexisNexis; two inside the networks of Dun & Bradstreet; and the fifth "was located at Internet addresses assigned to Kroll Background America, Inc."
Krebs does not say how he obtained it, but adds that, "An initial analysis of the malicious bot program installed on the hacked servers reveals that it was carefully engineered to avoid detection by anti-virus tools." This would explain why the data aggregators concerned would appear to have been unaware of the hacks until told, presumably by Krebs.
Their response has been varied. LexisNexis reported the matter to the FBI, and said, "Because this matter is actively being investigated by law enforcement, [LexisNexis] can’t provide further information at this time.”
Dun & Bradstreet said less. "Elliot Glazer, chief technology officer at Dun & Bradstreet, said the information provided about the botnet’s interaction with the company’s internal systems had been 'very helpful.'” writes Krebs.
Altegrity, for Kroll, simply said, "We have dedicated significant information security resources to managing security and protecting the data and privacy of our customers... [we have] teams from both inside and outside the company investigating your allegations vigorously.”
Assuming Krebs and Litan are correct, the problem now is where does the industry go from here. "We could well be witnessing the death of knowledge-based authentication, and it’s as it should be,” Litan told Krebs. “The problem is that right now there are no good alternatives that are as easy to implement. There isn’t a good software-based alternative," adding that widespread biometric authentication is "years away. If ever.”