Andrea Peterson reports:
When you apply for a loan or try to recover your lost e-mail password, you’ll often be asked to give information about a long-ago address, employer, or bank account. You might also be asked for your Social Security number or driver’s license. The idea is that only the real you would know such obscure details about your past.
This system provides a convenient way to authenticate consumers, but it also has an important vulnerability: anyone who has access to a comprehensive database that contains this kind of information can impersonate you.
Read more on Washington Post.
I had linked to Brian Krebs’ scoop over on DataBreaches.net, and of course, his findings are relevant to the same issues I raised in my complaint to the FTC about Experian, who also uses “knowledge based authentication.” The status of my complaint to the FTC is unknown to me as they never tell you what they’re doing, if anything, until they actually do something and issue a press release.
The FTC and congressional committees looking into data aggregators and data brokers need to read Brian’s report carefully and assume that this is not just LexisNexis, Dun & Bradstreet, and Kroll – those are the only ones he knows about from what he acquired, but I would bet that there are more that we don’t know about.