Troy Hunt recently testified before the US Congress about Data Breaches. The focus was how data breaches affect knowledge based authentication. Identity verification in a post breach world is more challenging than ever.

His testimony is available on his blog. It is worth a read – I’ll wait here until you return.

You can watch the hearing on YouTube. (1.5 hours)



Much of his talk comes from his experience running a website tracking data breaches. If you have not already checked your information in Have I Been Pwned take a look. You can have it notify you if your account has been in a data breach.

Summary of Testimony

I will reproduce the summary from his blog (emphasis mine):

Data breaches occur via a variety of different “vectors” including malicious activity by attackers exploiting vulnerabilities, misconfiguration on behalf of system owners and software products intentionally exposing data by design. There is frequently a long lead-time (sometimes many years) between a data breach and the service owner (and those in the breach) learning of the incident. We have no idea of how many incidents have already occurred but are yet to come to light. The industry has created a “perfect storm” for data exposure. The rapid emergence of cheap, easily accessible cloud services has accelerated the growth of other online services collecting data. Further to that, the rapidly emerging “Internet of Things” is enabling us to digitize all new classes of information thus exposing them to the risk of a data breach. An attitude of “data maximization” is causing services to request extensive personal information well beyond the scope of what is needed to provide that service. That data is usually then retained for perpetuity thus adding to an individual’s overall risk. Lack of accountability means that even in the wake of serious breaches, very little changes in the industry and we continually see other organizations repeat the same mistakes as their peers. Data breaches are redistributed extensively. There’s an active trading scene exchanging data both for monetary gain and simply as a hobby; people collect (and thus replicate) breaches. Many of the personal data attributes exposed in breaches cannot be changed once in the public domain, nor can these breaches be “scrubbed” from the internet once circulating. Even without data breaches, we’re willingly exposing a huge amount of personal information publicly via platforms such as social media. The prevalence with which our personal data is exposed has a fundamental impact on the viability of knowledge based authentication. Knowledge which was once personal and could be relied upon to verify an individual’s identity, is now frequently public knowledge.

This last point encapsulates the salient point:

Knowledge that was once personal and could be relied upon to verify an individual’s identity is now frequently public knowledge.

Analysis of the Talk

Education is Key

Troy thinks education is the key factor behind many of the misconfigurations which allow breaches. I’m not sure exactly what the cause is but to me it is likely a combination of many factors:

Lazy development that doesn’t take security seriously

Poor funding for data security until a data breach occurs

Lack of expertise in how to secure organizational data from intruders

You Are Being Owned…Please Wait

The long lag time between when a breach occurs and is discovered is especially troublesome. It is seriously a hard pill to swallow. LinkedIn had a breach in 2012 that took until 2016 to know the impact. They’re not the only ones. Dropbox had a similar thing happen. So did Tumblr. Years later we find out how bad the data breaches were.

We have no idea of how many incidents have already occurred but are yet to come to light.

Perfect Storm

The situation is exacerbated by the increase in cloud services, predilection to share by users (social media), cheap storage costs, IOT, and service providers desire to gather more and more information – even if it is not necessary to the service. Since the data is valuable and it is cheaper to store it than before organizations hold on to it forever. This creates the “perfect storm” that Troy refers to.

After the data breach it is all downhill from there. Redistribution of the unauthorized data is quickly traded and proliferated throughout the internet. This spans from security hobbyists and curious adolescence to nation states and intelligence agencies.

Once data has been leaked there is no setting it right. We cannot put the genie back in the bottle, the toothpaste back in the tube, etc.

Knowledge Based Authentication Fail

All of these points crescendo in the current state of knowledge based authentication. Security questions used to verify your identity on websites can be well known i.e. the authentication is faulty. Learning someone’s birth date, name of their first pet, model of first car, etc. are easier than ever to obtain.

Account-a-what?

Lastly, there is a lack of accountability for the breaches. If you collect data about others you are responsible for it. Yet all too often organizations discover years later they suffered a massive data breach and then proclaim to the press that they were hacked by evil doers and caught unprepared.

Then they progress through the stages of data breach grief:

OMG I just read the news and found out we’ve been hacked Turns out it was 4 years ago Blame evil hackers while proclaiming innocence as a naive victim The media turns up the heat – time to blame some systems administrator Offer your customers credit monitoring Acceptance Wait until the next hack then GOTO step #1

As they progress through the stages of grief they sway from claiming ignorance to blaming a system administrator to offering free credit reporting and holding their breath until the next gigantic data breach takes everyone’s mind off theirs and transfers it to another organization.

Because there is no accountability for data breaches we see the same exploits happen over and over.

Conclusions

We need to adapt and conduct authorization of a stated identity differently. Knowledge based authentication has many contemporary flaws and cannot be trusted.

Using a SSN as an identifier can be ok Using a SSN as a piece of authentication is bad

Personally I use a password management program to generate strong passwords and keep them stored for me. I also use this for security questions. For example, when I am asked a security question like “what city were you born in?” my response is something like “x8Yk#$lPpzBvc4r”.

The next time you are on the phone with customer service and the agent tries to verify your identity by asking the last 4 of your SSN + birth date just think to yourself how easy this would be for someone modestly motivated to impersonate you.

Thanks for reading!

Did you find this helpful? Please subscribe!

Yes I want to Subscribe!