Hackers Find Utility in Knowledge-based Authentication Technology

Security experts are warning that a newly developed technology called 'knowledge-based authentication' could work as a convenient tool for hackers to capture users' online accounts.

Knowledge-based authentication functions as an additional security application without replacing usernames and passwords while not allowing revelation of answers to questions. Since to get to know a user's log-in credentials or solutions to personal queries from that user's computer, hackers need keylogging software accomplishing the task becomes difficult for them.

According to Jon Fisher, owner of Bharosa, a company that devises questions for enterprises, knowledge-based authentication is an extra step to access an account. Fisher says that to phish both the items of information require fair amount of sophistication, as reported by COMPUTERWORLD on March 27, 2008.

But, Lance James, Chief Technical Officer of Secure Science, a fraud research firm, scammers have found a way out by adding confidential questions to pages they create as bait to trap end-users, as reported by COMPUTERWORLD on March 27, 2008.

Further, security researchers note that having known the weaknesses of the technology; most organizations have increased the number of questions on their lists. But, it might be quite a difficult task to frame questions that would be so general that everyone can answer, yet so specific that one can easily recall. Consequently, simple stages for thwarting fraudulent use of the authentication technology could prove quite effective.

However, according to James, personal identifying questions are getting even more weird., as reported by Info World on March 26, 2008.

In the meantime, Anti-fraud firm, Actimize's Amir Orad, says that people might still not stop giving out personal information in near future. He says that such a trend is not likely to stop. The behavior of a huge 200 Million users of MySpace and Facebook might not be possible to change, as reported by InfoWorld on March 26, 2008.

Orad feels merchants and banks should rather devise systems to identify the obscure fraudulent practices similar to the way in which credit companies detect suspicious purchases and alert their customers.

According to security vendors and security experts, online crimes can be thwarted if people stop sharing their personal information or questions improperly on the Internet.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 4/5/2008