The IP PIN is an effective means to solve the identity theft problem that caused the IRS data breach in 2015. An IP PIN is not as good as a physical second factor, e.g. a FIDO security key or a grid card, but better than easy to break identity verification questions. Moreover, IP PINs are easy to rollout by mail, and the effort for implementation is moderate.
Unfortunately, sometimes they get lost and must be recovered. This means that we need a method for the unambiguous identification of a person. For this the IRS uses easy-to-guess identity verification questions. On Krebs on Security we read:
‘The problem, as Wittrock’s case made clear, is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.’
‘Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure.’
On 10 June 2014 I wrote my first post on this blog about the eBay data breach, which was published on 21 May 2014. This Thursday, nearly a year later, the Internal Revenue Service (IRS) data breach was made public. Cyber attackers used personal information mined from other attacks, even perhaps from the eBay attack, to breach the “Get Transcript” accounts of more than 100,000 taxpayers.
Jose Pagliery wrote on CNN Money on May 26, 2015: “The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions — the ones we all know as being too specific, annoying and difficult to answer ourselves.”
FIDO U2F Security Key
Well said, those identity verification questions are really annoying. And inherently unsafe, as we learned from a Google study published this week.
And yet the obvious solution would be to discard all those questions and to use Two Factor Authorization instead. For example a FIDO U2F security key in combination with a one-time PIN or fingerprint would be a nearly unbreakable and cheap solution.
How many data breaches must still take place before organizations seriously start securing their customers personal data?