Knowledge is Power6/23/2010 05:00:00 PM Posted by:
Knowledge-based authentication — using personal information from databases instead of predetermined security questions — is supposed to be more resistant to phishing. In response, fraudsters have turned their phishing efforts to the databases themselves.
Unlike the security questions users choose when they enroll, KBA questions do not ask them to name their favorite movie or high school mascot. "These are those questions where you have to scratch your head and jog your memory, i.e., what was that first car you drove, what year was your mother in fact born [she didn't like to talk about it]," and so on, Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., wrote on her blog June 17. Since these questions are not known to the user ahead of time, they are supposedly more difficult for bad guys to predict.
But in practice, the reverse has been true. "I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them," she wrote.
What happened...Read More