Identity is Everything – Why Knowledge-Based Authentication is Not Enough

Here in the U.S., most of us are preparing our annual income tax filings. But that’s not the only reason the Internal Revenue Service (IRS) is top of mind this month. Since May of 2015, the IRS has made several announcements about data breaches affecting U.S. taxpayers. To date, over 700,000 people have been affected, and the IRS has estimated that the cost of the fraud will exceed $50 million (once the 2015 filing period is completed, this number will probably go higher). Perhaps most damaging, serious doubts have emerged about the ability of the agency to protect its citizens from cyber thieves.

The common factor at the heart of both recent IRS data breaches was the failure of knowledge-based authentication (KBA) systems to protect highly sensitive data. We are all familiar with KBA. We encounter it when we call our banks and are asked for our mother’s middle name, or when we forget our password and have to answer security questions like “in what town were you born?” You also may have encountered more elaborate challenge questions based on publicly available financial data, such as “what is the amount of your current mortgage payment?”

KBA systems are popular because they are user-friendly and relatively inexpensive to implement. But KBA systems only work when the answers to are “secret” – known only to the users – and are not easy to guess or discover through research. Unfortunately, in today’s world of highly sophisticated criminals and widespread identity theft, we can’t assume anything is secret.

The two data breaches at the IRS within the last nine months aptly illustrate how susceptible KBA systems are to stolen identity data.

  • Breach 1: In May 2015, thieves gained access to the IRS’s “Get Transcript” program by entering taxpayers’ personal information (name, address, social security number) and answering several personal verification questions. Once inside, the thieves downloaded copies of income tax returns and then used them to file phony tax returns in the names of their victims and claim refunds.
  • Breach 2: In February 2016, thieves breached the IRS’s electronic filing personal identification number (E-File PIN) application, which allows taxpayers to retrieve their PINs. Astoundingly, the thieves accessed the application by entering personal data and answering KBA questions similar to the ones used by the Get Transcript application. According to the IRS, thieves attempted to gain access to E-File PINs for more than 450,000 Social Security numbers, and they succeeded in 101,000 of those efforts.

So what is the answer? How can organizations protect themselves when cyber thieves have all the tools they need to impersonate citizens, download their tax records, file their taxes, and steal millions of dollars in fraudulent refunds?

The obvious answer is to stop relying on KBA systems as the primary way to authenticate users’ access to critical data. While low-risk transactions can use standard assurance methods to promote convenience, high-risk transactions should leverage stronger authentication methods. For example, when a user needs to access high-risk financial or personal data, organizations can take advantage of multi-factor authentication systems that require at least two factors to verify the user’s identity. Multi-factor authentication approaches balance security with user convenience by combining something you have (like a cell phone) with something you know (the name of your first pet) to increase assurance that the right person is gaining access. Organizations can also improve security by verifying changes to high-risk user information out-of-band (requesting confirmation of a person’s identity during a transaction via phone call or email). And lastly, activity monitoring can help detect suspicious activity, such as login attempts/failures, volume of downloads, and PIN requests to improve the application of governance controls.

While these changes will mean increased investment in IT security and may potentially reduce customer convenience, they are absolute prerequisites for managing access to personal or sensitive data in today’s increasingly digital world.