An enormous amount of sensitive information including Social Security numbers (SSNs) for millions of people could be in the hands of a hacking group after a data breach and may have been released on an online marketplace.
Earlier this year the hacking group USDoD claimed it had allegedly stolen 2.9 billion records for citizens of the U.S., U.K. and Canada from National Public Data and have put that data for sale on the dark web for $3.5 million. This is a massive breach including names, address histories, phone numbers and SSNs of millions of Americans (both living and deceased).
This breach may be the straw that broke the camel’s back of knowledge-based authentication — at least flavors of knowledge-based authentication (KBA) that rely on the last four digits of a person’s SSN.
Why this Breach is Different
While all data breaches pose cybersecurity threats and increase the likelihood of identity theft on a broad scale, it’s the inclusion of those SSNs that makes this one particularly dangerous.
SSNs go way back. They were first assigned to Americans in 1936 to track individuals’ earnings. They’ve become so ubiquitous that SSNs have become de facto personal identifiers. Because each number is unique to an individual and never changes during their lifetime, everyone from government agencies to credit bureaus and employers rely on SSNs as a valuable ingredient of their identity proofing processes. For most Americans, we’re probably asked for the last 4 digits of their SSN on a near-monthly basis.
Essential Security Steps for Consumers After a Breach
Whenever there is a breach of this scale, consumers are strongly encouraged to take the following actions:
- Update antivirus software and perform security scans
- Update passwords, especially for email and banking accounts (and make them strong)
- Turn on multi-factor authentication as an extra layer of protection
- Check credit reports. Consider placing a freeze with all three bureaus (Experian, Equifax and TransUnion).
- Be especially careful with email and social media accounts
- Be on the lookout for phishing scams
Naturally, consumers should take measures to protect themselves, but what role do organizations play in minimizing the impact of breaches like this one?
What’s the Risk?
The person providing that information is just as likely to be a hacker as they are to be the legitimate user of your service. Fraudsters use stolen account information like usernames, passwords, email addresses, mailing addresses, bank account details and Social Security numbers — all readily available on the dark web. They change passwords to lock users out of their accounts, steal money, and often launch a full-scale attack on a person’s identity. Fraudsters move quickly to use the data gathered from one account takeover scheme or data breach to take over additional accounts at other companies. What’s more troubling is that criminals often collaborate and sell compromised identities to the highest bidder, resulting in further damage to the consumer’s accounts and identity.
Taking a Fresh Look at Biometric-Based Authentication
If you’re still asking users for the last four digits of their SSN — stop it.
Instead, reconsider more reliable and secure ways of identity verification and authentication which incorporate advanced technologies such as biometrics and liveness detection. Here’s a few of the advantages of biometric-based authentication:
1. Fast and Convenient
Face-based verification can be done within seconds and is a convenient and secure method for protecting against ID fraud. In fact, a recent Kaspersky study found that 57% of respondents prefer biometric authentication over passwords for accessing online accounts and 81% of consumers consider biometrics a more secure method of identity verification compared to traditional methods.
2. Superior Fraud Protection
A key consideration of biometric authentication is how to stop presentation attacks such as spoofing, which are often sophisticated attempts to defeat a biometric verification. Liveness detection methods significantly reduce the effectiveness of spoofing and other presentation attacks By making it extremely difficult for fraudsters to bypass authentication, organizations dramatically reduce their fraud losses, often by 90% or more. And as biometrics seal up security holes, fraudsters look elsewhere for an easier target, so the number of fraud attempts begins to shrink.
3. Much Harder to Hack
Biometric authentication is a great KBA replacement because it has no information that hackers can steal. To have a chance at stealing biometric data, hackers have to target specific individuals. As David G.W. Birch points out in Forbes, biometric templates “are much more secure because they do not store the biometric itself but an abstraction of it.” It does not eliminate the risk, he notes, but it dramatically reduces the ease, cost-effectiveness and scalability of attacks based on stolen templates.
Jumio’s Approach to Biometric Authentication
All biometric recognition solutions use a comparison of the digital representation of a physical or behavioral feature with a previous template.
Here’s how we do it at Jumio:
1. Acquire
When a new online account is created, Jumio captures an image of a valid government-issued ID (driver’s license, passport or ID card) and a selfie, from which a biometric identification template is created.
2. Enroll
At enrollment, the selfie is automatically compared to the photo on the ID to reliably establish the digital identity of the new user. The algorithm uses key identifiers and biometric features to verify the user’s photo during the onboarding process.
3. Authenticate
When future user authentication is needed, Jumio Authentication captures a fresh selfie, generates a new biometric template and compares it to the original biometric information to unlock the user’s digital identity in seconds for continuous authentication.
More organizations are moving away from knowledge-based authentication and deploying biometric authentication solutions. They’re being used for a variety of use cases including authorizing high-risk transactions, password reset attempts and , and patient identification in healthcare.
The Time is Now
Historically, businesses were slow to adopt biometrics because of concerns about user adoption. But over the last few years, biometric-based authentication has gone mainstream. Moreover, biometric authentication solutions enhance the user experience by eliminating the need for remembering passwords, answering KBA questions (e.g., what’s your mother’s maiden name?) or divulging their Social Security number — even if it’s the last four digits.
Forward-thinking enterprises are realizing that face-based biometrics is the most effective approach for allowing customers access to goods and services while simultaneously protecting their accounts from identity theft and account takeovers.
To learn more about how Jumio can help you kick KBA to the curb, contact us to speak with one of our solution specialists.