Blogger: Mark Diodati
You may have read that vice presidential candidate Sarah Palin’s Yahoo! email account was hacked via a self-service password reset application. The hacker gained access to the account by knowing three pieces of information about Sarah: her date of birth, her zip code, and where she met her husband. This incident illustrates one of the KBA’s vulnerabilities: the targeted attack. The Chicago Tribune has a great summary of the attack here. The self-service application is an example of using static knowledge-based authentication (KBA) as an identity proofing process. Static KBA systems utilize a non-changing set of easily-guessed or self-selected questions to prove a user’s identity at specific authentication lifecycle milestones, when the primary authentication method (in this case, the user’s password) cannot be used. Situations where KBA is utilized include account origination and account unlock.
We’ve expressed our concerns about static KBA in the past in several of our research documents, and also on our blog (here and here). Static KBA is not acceptable for use with higher identity assurance applications or stronger authentication devices. It is safe to assume that the email account had higher identity assurance requirements, especially because it appears that the email account was used to conduct government business. Many consumer-facing organizations – not just Yahoo! – utilize KBA because it is perceived as less expensive than other identity proofing methods like dynamic KBA and out-of-band identity proofing (our blog entries here and here discuss these techniques). Also, many enterprises use static KBA for their employees.
There are some indications that Federal financial regulatory agencies are beginning to acknowledge the risk of static KBA, and potentially exclude its use when access to money or private information is possible. Let’s hope that happens soon. Fraudsters are several easy questions away from accessing consumers’ email, money, and confidential information – at will. Shouldn’t consumer-facing organizations stop putting lipstick on a pig, and go with better identity proofing processes?