The news about Governor Palin’s Yahoo account being hacked presents an interesting use-case for a dynamic KBA solution and gives me the opportunity to clear up a big misunderstanding people have about what [IDology’s] KBA really is.
First, let’s examine how the hacker accessed her email. According to this Wired article:
As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.
You probably are already familiar with the type of security questions Yahoo uses to reset passwords – what is your mother’s maiden name? What is the name of your favorite pet? etc. etc. And yes, these questions are technically called “knowledge-based” because they are based on something that you know. But the biggest difference is that these questions are static.
When companies use a static KBA solution, they require us as consumers to pick 1 or 2 “security” questions and provide them with the answers. We’ve seen one of the dangers of this scenario already. And quite frankly Palin is somewhat lucky. Since human psychology is to select the same type of security questions in other accounts, I hope that she has gone and changed her questions/answers at other higher risk places like her bank account. The other danger here is that all these questions and answers are being stored by the company. Given the likelihood that people choose the same type of security questions for their bank account, email account, Amazon account, etc., a breach of this data could have enormous repercussions.
However, if Yahoo were using a dynamic KBA solution before allowing a password reset then the hacker would not have been able to trick the system. Why? Well, because the questions that would have been presented are created on-the-fly using information found in Palin’s personal and protected data records. She doesn’t pick the questions to present, and she either knows the right answer or she doesn’t. These questions are much more robust and are specifically designed to verify someone is who they claim to be. And there are deep analytics involved with dynamic KBA solutions to spot and stop suspicious activity.
As a founding member of the Information Card Foundation, I’d also like to point how this scenario makes the advent of Information Cards even more eminent. Had Palin been using a verified Trusted Identity to sign into her account then the hacker would not have been able to gain access and reset her password.