Knowledge is Power

Knowledge-based authentication — using personal information from databases instead of predetermined security questions — is supposed to be more resistant to phishing. In response, fraudsters have turned their phishing efforts to the databases themselves.
Unlike the security questions users choose when they enroll, KBA questions do not ask them to name their favorite movie or high school mascot. "These are those questions where you have to scratch your head and jog your memory, i.e., what was that first car you drove, what year was your mother in fact born [she didn't like to talk about it]," and so on, Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., wrote on her blog June 17. Since these questions are not known to the user ahead of time, they are supposedly more difficult for bad guys to predict.

But in practice, the reverse has been true. "I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them," she wrote.
What happened was the bad guys began targeting "employees who work at the public data aggregators that provide the original data and knowledge-based authentication systems used to authenticate users," Litan wrote. "They simply get access to these employees' accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge-based authentication systems."