Questions used by service providers to authenticate users' identities can no longer be the only means of verification given that the answers can be easily found using search engines, social networking sites, or through spear phishing attacks. It should, instead, be part of a multi-level authentication strategy, observers say.
Joseph Steinberg, CEO of Green Armor Solutions, said today's climate of easy Internet access through mobile devices and the growing number of digital natives posting up personal information online, authentication questions for network and Web site access are no longer safe.
This is because information once deemed confidential, such as one's identity or social security number and a person's mother's maiden name, can now be found by simply doing a search on Google, Steinberg explained.
Social media platforms are also good hunting ground for cybercriminals looking to find users' personal details, he pointed out. For instance, LinkedIn is a good resource for those looking for answers to questions on a person's first job, the university they studied in, and even the city the university was based in. Facebook or Pinterest, on the other hand, could provide answers to a person's mother's maiden name, the city he grew up in, or his personal interests, he said.
Ronnie Ng, director of systems engineering at Symantec Singapore, added that cybercriminals who have conducted spear phishing attacks to get a user's password, they would likely possess the information to crack simple authentication questions, too.
Knowledge-based questions not safe either
There are stronger types of authentication questions, or "knowledge-based questions", which cannot be answered by an educated guess after trawling for information online, Steinberg noted.
These questions are usually non-public information such as how much is a person's monthly mortgage payment, or the name of the bank used to make the payment every month, or the street the user lived on many years ago, he stated.
Chris Brennan, CEO of NetAuthority, said knowledge-based authentication can be too complicated, however, which then undermines user experience and consumer satisfaction. The answers for such questions could be too obscure, so users are unlikely to remember them, he said.
Marketing executive Olivia Chu agreed with Brennan's assessment. She recounted that when her bank asks her when her last transaction was made, she tends to not remember. "I have to think really hard, and it's really annoying even though it's for the safety of my account," she said.
These knowledge-based authentication questions are not invulnerable to being cracked either, warned Steinberg. For instance, some mortgage records are available publicly, and persistent hackers can derive the right answer based on the information they have gathered, he noted.
To strengthen security, Symantec's Ng called on service providers to devise a multi-level authentication to secure their networks and sites and protect their customers.
Device-based authentication, in tandem with knowledge-based questions, will make security that much tighter. For identity verification, a series of questions should be asked, he added.
That said, such strategies should be developed with users' convenience in mind too, the director urged. This is so that people are not too put off by the additional security layers and longer time taken to authenticate themselves.
Users also have a role to play in that they should create questions with unique answers that only they would know, and ensure this information is not compromised or shared on public platforms, Ng stated.