“On what street did you grow up?” your bank’s website might ask. “In what city did you meet your spouse?”
Having the answers to such questions helps unlock access to your account. It’s called “knowledge-based authentication,” a security measure that uses a mix of facts about your life much like a fingerprint to verify your identity.
But the answers to such questions aren’t just in your memory. Data brokers are shuffling together piles of public and private records in order to build detailed profiles of individuals. Recently there was discouraging news that hackers had breached some data brokers’ information storehouses, with ID theft in mind.
Now it looks like the hackers could be out of a job. Some data brokers are just selling people’s identifying details to fraudsters directly, right out the front door.
In a widely discussed case, cyber security journalist Brian Krebs revealed that a data broker called Court Ventures — a unit of credit bureau Experian — sold data to a fraudster supply shop called Superget.info. Superget posed as a legitimate buyer, then sold the bundles of consumer data to people looking to take over consumers’ identities and open accounts in their names.
The Secret Service lured Hieu Minh Ngo, the accused Vietnamese principal behind Superget, to Guam by pretending to offer him a business deal, Krebs reported. There agents put the cuffs on Ngo — after he had sold information on about 500,000 consumers over a span of five years, according to a federal indictment in New Hampshire that was announced last week.
Yes, the firm Ngo bought data from is a unit of the same Experian that sells anti-ID theft services. The irony meter went off the scale, but privacy advocates weren’t completely shocked.
“When you’re dealing with data broker information, essentially you’re dealing with the wild wild West,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. “Data is sold and resold with abandon.”
In fact, Court Ventures exchanged data with another data broker, USInfoSearch.com, to get access to a broader range of data. Combining Court Ventures’ crime and bankruptcy records with other ID information makes the total package more valuable to both companies, Stephens explained. Of course, such complete packages are also useful to identity thieves.
There were signs that a data broker scandal was coming. In May the Federal Trade Commission announced that it had conducted a secret-shopper test of 45 data brokers and sent warning letters to 10 of them. The 10 were willing to sell consumer information without checking to see if the buyer was legit, the FTC said.
Under the Fair Credit Reporting Act, sellers of consumer information are supposed to take a hard look at the buyers before giving them your sensitive details. However, legal hair-splitting makes it hard to tell when a data broker falls under the law’s requirement. Consequently, the FTC’s warnings weren’t exactly stern. “The letters are not an official notice by the Commission that any of the named companies is subject to the requirements of the FCRA,” the agency’s announcement backpedaled.
In an emailed statement, Experian emphasized that the fraudster Superget began to access Court Ventures’ data — including the data obtained from USInfoSearch — before Experian bought the compromised company in March 2012. Experian’s credit report files weren’t accessed, the company said. The credit bureau learned about the scam from federal investigators and cooperated in the effort to shut it down.
Maybe this will be the breach that forces change. “We’re hopeful the FTC will take some action to get the situation under control,” Stephens of the privacy advocacy group said. If the Fair Credit Reporting Act doesn’t have the regulatory muscle to rein in data brokers, plain old anti-fraud laws should work.
But with data brokers working both sides of the ID protection street, it seems like a good time to rethink the whole idea of knowledge-based authentication.
“I think we’re going to have to see some sort of shift in the manner it is used,” Stephens said. “You have numerous organizations that use it with a certain degree of success, but it certainly is vulnerable.”