The Massive Equifax Breach May Reduce the Strength of “Out of Wallet” Authentication Techniques

Today, cleverly just after the 5pm National Hurricane Center update on Irma, Equifax announced a breach potentially impacting 143 million U.S. consumers.  Since I have experience in identity and authentication systems, my initial concern beyond potential “routine” identity fraud is the erosion of identity proofing techniques based on “out of wallet” (OOW) questions.

OOW techniques are often used when a pre-existing trust relationship does not exist (for example, during initial account setup) and when a trust relationship must be “rebooted” (for example, a password reset, or authentication token enrollment).  OOW techniques leverage the “secrets” found in most consumers’ credit files to perform a reasonably strong authentication.  Depending on the actual contents of the breech (Experian has claimed that there was “No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases” but early claims like that are dubious as we unfortunately know), the strength of OOW techniques for a large proportion of Americans may be irreparably eroded.

Equifax sells several identification and authentication products that perform identity proofing based on OOW questions.  These are the familiar “What was your address when you were 18?” and “Do you have an auto loan with a monthly payment of $245?” type of questions we’ve all seen.

Equifax sells numerous such services: http://www.equifax.com/technology/anakam/products/en_tas

Experian sells similar services: https://www.experian.com/products/authentication_services.html

For those of us that use these products – and other OOW techniques based on credit bureau data – for consumer interactions, the strength of these authentication techniques will need to be re-evaluated in the coming weeks as more details of the Equifax breach emerge.