Authenticating with "private" information an ill-advised practice with far-reaching consequences

Within the past decade, massive data breaches have become more frequent and the number of records that are lost has increased. Data breaches of US companies alone exposed more than 500 million records in 2013. However, users that share the same password on different services are just the tip of the iceberg regarding the consequences of data breaches. For authentication, users typically rely on only a small number of unique personal information attributes. These same information attributes are used in several places and inevitably are lost, in large numbers, during data breaches.

This information is a veritable gold mine for cyber criminals, who use it to build comprehensive profiles of millions of users. Each time data is stolen, regardless of which organization has been breached, cyber criminals are able to correlate this data with their existing information and refine their own data. The amount of user profile data in the hands of cyber criminals is growing and becoming ever more accurate.

Image of an iceberg above and below the waterline. Top is labeled "Breached Passwords", bottom is labeled Breached SSN, DOB. Image is titled "Data Breach Risk Iceberg"Once breached, data cannot be taken back. Users can change login and password information after a breach, but they cannot revoke compromised social security numbers (SSNs) or dates of birth (DOBs). Once this information is leaked, users are at risk of continued identity theft, which they cannot defend against. Our privacy and security is being eroded on an unprecedented scale.

Still, many government and private services require users to authenticate or identify themselves with personal attributes such as SSN and DOB. Data that was once considered confidential and is still used to authenticate users online or offline presents a challenge not only to the industry and the compromised enterprise but also to society.

Our latest analyst brief, Why Your Data Breach Is My Problem, discusses the risks of relying on private information that can no longer be kept private.

Follow me on Twitter @stefan_frei to keep informed as new research is released. 

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: Authentication, Breach, Cybercrime, Cybersecurity, Data Breach, Data Protection, Password, Privacy