Breached PII: Why KBA Has to GoNew Forms of Authentication Essential in New Environment
A wide variety of personally identifiable information is readily available to fraudsters as a result of data breaches, an investigation involving a Vietnamese hacker who was sentenced this week shows.
With so much stolen PII available, it's time for banking institutions and others to enhance the technologies and techniques they use to authenticate customers' identities. Knowledge-based authentication, based on questions derived from PII, is no longer reliable.
"How do we conduct business in a world where you can't trust that the PII you're being provided is legitimate?"
While retail breaches linked to big-name brands like Target and Home Depot have grabbed headlines and public attention because of the payments data that was exposed, experts have been warning that our attention should be more focused on mitigating identity theft and new account fraud risks associated with stolen PII.
As the U.S. ramps up its migration to EMV chip technology, and the use of tokenization and end-to-end encryption becomes more common, the massive card breaches we're now all so worried about will likely taper off.
With stolen PII, however, fraudsters can perpetrate many forms of fraud. For example, they can use the information to help defeat knowledge-based authentication so they can access online accounts and conduct fraudulent payments and wire transfers. But they can also use PII to fraudulently open new accounts, create synthetic identities and file fraudulent tax returns.
The case involving Vietnamese national Hieu Minh Ngo, who stole and then sold PII belonging to as many as 200 million U.S. citizens, should serve as a wake-up call.
On July 14, the Department of Justice announced Ngo's 13-year prison sentence, which he received after pleading guilty to stealing and then selling PII linked to as many as 200 million U.S. citizens.
Between 2007 and 2013, Ngo packaged and sold stolen PII in underground forums he owned and managed, prosecutors say. That packaged information typically included names, dates of birth, Social Security numbers, bank account numbers and bank routing numbers. Ngo also admitted to selling stolen card data, which typically included the victim's debit or credit card number, expiration date and card-verification-value number.
He then allowed buyers who shopped on his sites to query online databases for the stolen PII of specific individuals. Ngo told authorities that more than 1,300 customers from around the world conducted more than 3 million queries on his websites.
The Internal Revenue Service confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo's sites, were victimized through fraudulent income tax returns that totaled $65 million, prosecutors say.
Increasing value of PII
Avivah Litan, a fraud analyst at the consultancy Gartner, says tax fraud linked to compromised PII is a huge problem, yet it seems to get little public attention.
When Heartland Payment Systems last month reported that computers used in a payroll center it owns in California had been stolen, Litan said it was cause for grave concern.
"For years, no one has reacted or paid attention to the breach of payroll data or taxpayer information, even though the loss of this kind of information is so much more serious to a consumer than credit cards," she said.
Javelin predicts that between now and the end of 2018, data breaches involving healthcare, government and education will skyrocket. And the PII compromised during these breaches will lead to a surge in fraudulent activity.
"The question isn't necessarily how do we protect the PII - because so much of it has been compromised," Pascual says. "Rather, how do we conduct business in a world where you can't trust that the PII you're being provided is legitimate?"
Pascual says the continued compromise of records containing PII increasingly supports the argument that KBA cannot be relied upon to validate identities.
So, What's Next?
John Buzzard, payments fraud and security product manager at FIS Global, a core banking and payments processor, says criminals are acquiring massive amounts of PII and assembling it with increasing accuracy and completeness.
"The mere presence of so much powerful data in the hands of criminals should remind everyone that multilayered security and authentication needs to be standard practice and less of an option," he says.
Clearly, we have to strengthen identity and access management, as well as authentication practices, especially for online accounts. Biometrics and some of the new specifications coming out from the FIDO Alliance can play important roles.
And it appears that, in the banking sector at least, some progress is being made to shore up authentication gaps.
Shirley Inscoe, a fraud analyst at consultancy Aite, says more institutions are using voice and fingerprint biometrics to authenticate users of call centers and online banking.
In the months ahead, I expect to see much broader adoption of biometrics technologies for authentication enhancement. At this stage of the game, we really don't have a choice.