1

I read on a different post about KBA, which is an identity verification concept that claims to verify a person by asking it about stuff just this person knows of, collected from "public information".

My first thought about it was, when I had access to their data by being a customer to them and using the service, couldn't I fake to be who ever I'd like by just asking to verify that specific identity and then just passing that information?

Paradox
  • 188
  • 11
Zaibis
  • 701
  • 1
  • 4
  • 16
  • 1
    So these people collect all kind of personal information about people and then share it with 3rd parties to identify said people in face-to-face situations? That's kind of creepy. – Philipp Jul 01 '16 at 01:50
  • @Philipp where do you get the face-to-face situations from? It looks to me like a verification layer for automated, electronic transactions. – HopelessN00b Jul 01 '16 at 17:26

1 Answers1

1

This is a case of specific security measures being implemented to address specific threats.

The type of knowledge-based-authentication they're offering there is fairly weak security, but that doesn't mean it's useless. As you observed, and they disclose on their page, it is collected from public information, meaning that, yes, in theory, anyone could look that information up themselves, impersonate whomever's protected by this service and get authenticated. It's fairly similar to the AVS technique commonly used in the United States to combat credit card fraud. That information is also generally publicly available, and therefore of no value in stopping a determined adversary. It still has its uses, however, and has been shockingly effective at preventing certain types of credit card fraud.

This type of authentication would have a similar use case in preventing certain types of electronic fraud or unauthorized use, and they state one such use case on their product page:

The FTC issued a letter approving the use of KBA as a method of obtaining prior verifiable parental consent under the Children’s Online Privacy Protection Act (COPPA).

Children racking up large bills through in-app and other electronic purchases on their mobile phones has been a headline-making problem for a while, so a solution to that problem is valuable to businesses that are vulnerable to that threat, and the relatively low cost of such a system is an important factor as well.

This product would be very effective at preventing automated fraud from malware or bots trying to open up accounts for people, as another example. It doesn't make sense to implement an expensive, military-grade security system just to verify parental consent for in-app purchases in Candy Crush, or to stop bots from signing up accounts in your webstore, but a product like this would probably strike the right balance of security and cost.

Community
  • 1
HopelessN00b
  • 3,385
  • 19
  • 27