US-based data warehouse company Acxiom last week announced FactCheck-X Authenticate, a new biographical authentication service that asks users random questions based on their personal lives.
The added layer of security has been criticised by some privacy advocates, who say it is not worth the extra intrusion into our personal lives.
Acxiom's website says its "products and services help companies improve their results by providing greater insight into what drives their business — their customers, specifically their needs and wants".
Jennifer Barrett, Acxiom's chief privacy officer, told ZDNet.co.uk's sister site, CNET News.com, that businesses today must have a higher level of authentication in certain cases. She cited the US Patriot Act and the need for financial institutions to be certain they know the individuals who want to open new accounts in order to avoid money laundering.
A spokesman for the Electronic Frontier Foundation failed to see any advantage of the service. "Think of this as an expanded version of 'mother's maiden name'," said the EFF's Lee Tien. "You are not the only one who knows the [facts], as your mother's maiden name suggests. At least with a random, newly assigned PIN it is a fair assumption that it is safe at the outset."
Barrett argued that passwords may be fine for some instances, but not all. For customers who require thorough authentication, using sensitive information taken from credit applications or knowledge-based authentication — where the customer chooses a security question and then answers it — do not work, Acxiom reasons. Instead, FactCheck-X Authenticate serves up to 100 random questions culled from a biographical profile, making it hard, says Barrett, for any criminal hacker to social engineer.
Examples of questions used include: Where does your brother Mike live? and: How many fireplaces are in your current residence?
Barrett declined to cite specific sources, but said all information used for the biographical profiles came from public government files and private sources.
"True facts about your life are, by definition, pre-compromised," said EFF's Tien. "If the bio question is about something already in the consumer file, arguably the best kind of question is about something that is highly unlikely to be in one's consumer file and even useless commercially — like my pet's name."
Tien concluded: "In general, the public would be better off if less of this information about them was for sale, and if their accounts were secured by cheap, well-designed hardware authenticator devices [such as two-factor tokens]."
Acxiom is one of several data warehouses that has made it into the news for high-profile data breaches. In 2003, Daniel Baas decrypted passwords, including one that acted like a 'master key', to download customer information from Acxiom. While investigating Baas, the Justice Department announced additional charges in July 2004 against Scott Levine, who used the same public FTP server as Baas. Levine's Snipermail was a sub-contractor for a company working with Acxiom, and Levine also had access to customer information.
In both cases, Barrett said the customer data was either new data Acxiom was going to add to its database or data that had already been added to the database. "The clients had control of [the breached servers] as much or more than we did." Barrett insists that the most sensitive information, such as date of birth, has always been encrypted.
