Proving a Negative

James Everett Lee
Chief Operating Officer   The Identity Theft Resource Center

Proving there is a “you” has never been easier; proving you are the only you, not so much. We learned in math class in high school that you cannot prove a negative. Or to be more precise, we learned that you cannot solve a negative proof. As a result, in math and logic, we spend most of our time and effort trying to prove a positive.

Applying that principle to modern day cybersecurity and identity, we spend a lot of time trying to prove “I am who I say I am”, rather than “who I am not.” And that’s where the trouble begins.

With the rise of the commercial internet and remote transactions in the 1990s, we needed a way to prove someone on the other end of an account or transaction was who they claimed to be. After all, as pointed out by New Yorker cartoonist Peter Steiner, “On the internet, no one knows you’re a dog.”

The solution was Knowledge Based Authentication or KBA. At the most basic level in the early 2000s, we asked for your mother’s maiden name or for the name of your first car when you set up an account. The theory was this information known only to you. 

Most sophisticated (and risky) transactions required more sophisticated data, so rather than ask you for information, we would ask you to verify the so-called “wallet data.” This was information readily available for purchase from data brokers and credit reporting agencies. 

Before you could get a job or buy that big screen television, you had to answer questions like “At which of these addresses did you live?” or “Do you see your current employer listed?”

For a while, these rudimentary (and later more sophisticated) processes did a good job of protecting company data assets and the personal information of consumers. While we celebrated the effectiveness of these new tools, threat actors plotted and schemed on how to get around them. 

Behold, the rise of the Data Breach. By 2004, KBA was on the way to being ubiquitous, however, cybercriminals and cyberthieves needed wallet data to continue to wreak havoc. In 2005 it was revealed that a criminal gang had stolen credit bureau “header data” from a data broker. The thieves had by-passed the very authentication procedures – based on KBA – designed to protect personal identity data by stealing the wallet information needed to prove you were who you declare to be.

Since 2005, Knowledge Based Authenticators (KBAs) have become entrenched while data breaches aimed at stealing wallet data have become standard operating procedure for cybercriminals. Between 2005 and 2018, nearly 10,000 data breaches were publicly reported in the U.S. By 2020, some 15 billion data points used for authentication were for sale at any given time on identity forums.

Meanwhile, another trend was taking hold that would further undermine the effectiveness of KBA: social media. As the volume and velocity of data breaches grew, so did investment in cybersecurity and data protection. However, much of the personal information once available only via purchased data was being posted voluntarily on social media platforms. 

Family members’ names, phone numbers, past and present employers, relationship status, gender, race, birthdate, photos, and more was being posted on social media. A new cybercriminal with any skill could legally scrape data posted publicly for free. Data that was highly guarded and (still) protected by state data breach laws was being posted out in the open for all to see, and use.

Then came 2018. Q3 2018 to be precise. That’s when cybercriminals began their move to a new business model with a reliance on phishing schemes and ransomware attacks to generate massive amounts of revenue. No longer did they need to execute mass data breaches designed to collect wallet data or individual financial accounts. 

Why? Because they had all the personal information needed from more than a decade of data breaches. They were simply sitting on a mountain of personal information waiting for the precise moment to monetize it.

That moment came in 2020 in the form of a global pandemic and the U.S. Congress pumping trillions of dollars into the economy in the form of enhanced unemployment benefits, stimulus checks, and forgivable government loans. The only thing standing between cyberthieves and hundreds of billions of dollars was – wait for it – antiquated state government systems that relied on little to no identity authentication beyond KBAs. (Even then, many states relaxed their authentication protocols in order to speed up needed benefits to applicants.)

As of today, the official tally of unemployment benefit fraud alone stands at $63 billion. On a recent podcast with the Identity Theft Resource Center, the CEO of estimated the identity-related fraud figure to be between $200-$300 billion based on their work with different U.S. states. 

If KBAs are both ubiquitous and beyond their expiration date, what’s an organization to do? NIST recently updated the publication Digital Identity Guidelines (SP 800-63) that helps match risk to the level of identity proofing required to prove someone is who they say they are. That’s a good place to start. The cybersecurity concept of Zero-Trust is also a good guide and some  would argue it is mandatory.

There are also a number of tools that are entering the mainstream that can reduce or eliminate the need for wallet data with more on the way. With  90 percent of the working age U.S. population owning a smart device, there are numerous techniques and actions that can validate identities without endangering personal information. 

Tokenization ensures personal information never leaves a device. The use of multi-factor authentication using an app offers real-time validation. Using live or real time photos coupled with forensic tools ensures a photo is real, the face is of a live person – not a mask or photo of a photo – and matches the location of the person seeking authentication. 

And wallet data can still be helpful with filling in the blanks.

James Everett Lee

Tags: , , , , ,