The Fraud Blog with Tracy Kitten

Biometrics , Multi-factor & Risk-based Authentication , Next-Generation Technologies & Secure Development

Breached PII: Why KBA Has to Go

New Forms of Authentication Essential in New Environment
Breached PII: Why KBA Has to Go
Javelin's Al Pascual forsees far more PII breaches.

A wide variety of personally identifiable information is readily available to fraudsters as a result of data breaches, an investigation involving a Vietnamese hacker who was sentenced this week shows.

See Also: 5 Requirements for Modern DLP

With so much stolen PII available, it's time for banking institutions and others to enhance the technologies and techniques they use to authenticate customers' identities. Knowledge-based authentication, based on questions derived from PII, is no longer reliable.

While retail breaches linked to big-name brands like Target and Home Depot have grabbed headlines and public attention because of the payments data that was exposed, experts have been warning that our attention should be more focused on mitigating identity theft and new account fraud risks associated with stolen PII.

As the U.S. ramps up its migration to EMV chip technology, and the use of tokenization and end-to-end encryption becomes more common, the massive card breaches we're now all so worried about will likely taper off.

With stolen PII, however, fraudsters can perpetrate many forms of fraud. For example, they can use the information to help defeat knowledge-based authentication so they can access online accounts and conduct fraudulent payments and wire transfers. But they can also use PII to fraudulently open new accounts, create synthetic identities and file fraudulent tax returns.

PII Compromised

The case involving Vietnamese national Hieu Minh Ngo, who stole and then sold PII belonging to as many as 200 million U.S. citizens, should serve as a wake-up call.

On July 14, the Department of Justice announced Ngo's 13-year prison sentence, which he received after pleading guilty to stealing and then selling PII linked to as many as 200 million U.S. citizens.

Between 2007 and 2013, Ngo packaged and sold stolen PII in underground forums he owned and managed, prosecutors say. That packaged information typically included names, dates of birth, Social Security numbers, bank account numbers and bank routing numbers. Ngo also admitted to selling stolen card data, which typically included the victim's debit or credit card number, expiration date and card-verification-value number.

He then allowed buyers who shopped on his sites to query online databases for the stolen PII of specific individuals. Ngo told authorities that more than 1,300 customers from around the world conducted more than 3 million queries on his websites.

The Internal Revenue Service confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo's sites, were victimized through fraudulent income tax returns that totaled $65 million, prosecutors say.

Increasing value of PII

Avivah Litan, a fraud analyst at the consultancy Gartner, says tax fraud linked to compromised PII is a huge problem, yet it seems to get little public attention.

When Heartland Payment Systems last month reported that computers used in a payroll center it owns in California had been stolen, Litan said it was cause for grave concern.

"For years, no one has reacted or paid attention to the breach of payroll data or taxpayer information, even though the loss of this kind of information is so much more serious to a consumer than credit cards," she said.

And Al Pascual, director of fraud and security at Javelin Strategy & Research, says the value of PII will increase as the U.S. moves toward EMV compliance (see Breached PII: Growing Fraud Worry).

Javelin predicts that between now and the end of 2018, data breaches involving healthcare, government and education will skyrocket. And the PII compromised during these breaches will lead to a surge in fraudulent activity.

"The question isn't necessarily how do we protect the PII - because so much of it has been compromised," Pascual says. "Rather, how do we conduct business in a world where you can't trust that the PII you're being provided is legitimate?"

Pascual says the continued compromise of records containing PII increasingly supports the argument that KBA cannot be relied upon to validate identities.

So, What's Next?

John Buzzard, payments fraud and security product manager at FIS Global, a core banking and payments processor, says criminals are acquiring massive amounts of PII and assembling it with increasing accuracy and completeness.

"The mere presence of so much powerful data in the hands of criminals should remind everyone that multilayered security and authentication needs to be standard practice and less of an option," he says.

Clearly, we have to strengthen identity and access management, as well as authentication practices, especially for online accounts. Biometrics and some of the new specifications coming out from the FIDO Alliance can play important roles.

And it appears that, in the banking sector at least, some progress is being made to shore up authentication gaps.

Shirley Inscoe, a fraud analyst at consultancy Aite, says more institutions are using voice and fingerprint biometrics to authenticate users of call centers and online banking.

In the months ahead, I expect to see much broader adoption of biometrics technologies for authentication enhancement. At this stage of the game, we really don't have a choice.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.