CHICAGO, Oct. 3, 2013 (GLOBE NEWSWIRE) -- Data breaches at knowledge based authentication (KBA) information providers LexisNexis, Dun & Bradstreet and Kroll Background America are a body blow to the common use of KBA technology to validate individuals' identities online.
With the revelation that "shared secrets" from peoples' lives may, in fact, no longer be very secret, organizations using KBA are at significantly greater risk.
"This hack and data breach is as dramatic as the hack against RSA in 2011," said Andy Rolfe, Authentify's chief technology officer. "The RSA hack exposed the systems of hundreds of companies using one-time password (OTP) tokens to potential intrusion by users that would seem legitimate. Similarly, this breach of KBA providers potentially exposes a large number of companies that rely on consumer information for critical purposes. Examples include those that grant credit, allow access to online accounts, reset passwords with challenge questions or use data to verify changing account information."
Authentify recommends adding an outbound telephone call to a well-established phone number as an additional authentication mechanism when KBA is used. This connects the actual identity's owner in the physical world with the new online account or change request to the KBA information provided.
Voice biometrics is another best practice for linking an online account to its legitimate owner. This affords protection from an attacker who has stolen account information, personal data or even stolen the end user's phone.
The addition of an outbound call limits a cybercriminal's ability to attack an identity or an account. This is because it requires knowledge of the account login and/or KBA information plus a telephone already associated with the actual person. This adds a significant layer of protection.
Outbound phone calls work because knowing is not the same as controlling. Many people know an individual's address, but how many criminals can actually be standing inside if you knock on the front door? Many people may know an individual's phone number, but how many can actually answer that phone when it rings? When an online user presents information such as a phone number or a street address, requiring that individual to answer the phone behind that number, provide information from something mailed to that street address, or both, is strong authentication technique--much stronger than asking, "How long have you lived at your current address?"
Authentify has been protecting its customers from these threats for more than 10 years, using phone-based, out-of-band authentication to actually connect an online account to the actual person behind it.
Organizations are drawn to KBA because it enables them to cost-effectively open new accounts online or manage existing ones. Types of accounts vary but include everything from mortgage and loan applications to pension, social security and 401(k) distributions. In light of these breaches, some identities will be vulnerable when organizations validate these transactions by KBA alone.
Highly automated outbound phone calls can confirm and connect the human being who actually owns the identity and online account to an attempt to use it. This practice will significantly increase security.
For more information on Authentify's phone-based, out-of-band authentication technology, including its new xFA online security service and app that turns mobile devices into secure personal authenticators, visit www.authentify.com or call 773-243-0300.
About Authentify, Inc.
Authentify, Inc. is the leading innovator of global phone-based, out-of-band authentication services and was recently ranked as a visionary by Gartner. These services enable organizations that need strong security to quickly and cost-effectively add 2-factor or 3-factor authentication layers to user logon, transaction verification or critical changes such as adding a payee to an e-pay or wire account. The company's patented technology employs a service-oriented message architecture and XML API to seamlessly integrate into existing security processes. Authentify markets primarily to financial services firms that need to protect their clients' online accounts, corporate security professionals managing corporate access control and e-merchants who want to limit fraud on their sites.