Santander U.K. recently warned that celebrities were setting a bad example on social sites by oversharing personal information, including pet names and dates of birth. This is the exact information that cybercriminals use to break into legitimate user accounts and fraudulently open new accounts by impersonating a real person. A few days after Santander’s warning, a cybercriminal managed to steal more than 100 million consumer applications for credit from Capital One. Ironic.
The truth is that we’re living in different times given the explosion of social media and the sheer quantity and depth of personal information that is openly shared. Let’s face it -expecting users to keep pet names and dates of birth confidential is just not realistic. Here are 5 ways in which attackers can obtain this information relatively easily:
1) Buy it
The Capital One breach is just one out of many. See for example the Equifax breach and the long list of data breaches here.
2) Phishing
There are endless ways of phishing for personal information. For example, the attacker could send you an invitation to register for a new, exciting (yet fake) service and as part of the short enrollment process ask for the name of your pet and your date of birth.
3) Vishing
Calling you, pretending to be your bank (or any other provider) and asking for your date of birth and the name of your pet as part of the “authentication” process.
4) Social media
As per the above, personal information is widely available on social media. With a culture of ‘oversharing’ in public, open networks finding personal information is not hard at all.
5) Get it from someone else
Even if you’re so security conscious that you would never fall for any of the above methods, there are others who know your date of birth and the name of your pet. These people can be tricked into providing this information about you and it’s completely out of your control.
Conclusion
The bottom line is that readily available, personal data should never be used for any security-related processes. Educating and then expecting users to keep their personal information private is nearly impossible in today’s hyper-social environment. It should be obvious by now that IT security and risk leaders should not be using authentication methods that rely on easy-to-steal, knowledge-based details.
Instead, we need to adopt new authentication methods, such as using a user’s trusted mobile device to help identify users across all applications and channels. Unfortunately, it’s not easy to do given all of the legacy IAM and application infrastructure we all have. It will take a new set of innovations and products that allow organizations to do this and solve this very complex problem. We’ll discuss approaches for migrating from knowledge-based to trusted mobile device authentication in future blog posts.