DO WE NEED A KBA STANDARD?
Category : Uncategorized
//Foss lawyers will be present in Amsterdam between may 18th – may 22th, for the OWASP project submission. The OWASP KBA-PMP project. The project is growing
complete version: KBA paradigms and challenges
Can we say that static KBA is no longer suitable for today’s security challenges? During the last years, we have heard rumors about the death of the KBA. While some part of the industry wants to kill all KBA procedures, Dynamic KBA providers want to only kill static KBA. The truth is that static KBA is the oldest method of authentication, and will remain for a while due to its low cost (compared to biometric authentication), its effectiveness for remote procedures of identification (can be used from anywhere), and especially, the option that users have to change their information or simply lie to the web application to increase security. We cannot blame non developed countries to implement it.
Static KBA is not insecure by itself, it is a matter of implementation. But static KBA confronts 2 huge problems today: (1) Secret information is not secret anymore, (2) Most users will tell the truth to the application.
For dynamic KBA software vendors, KBA has evolved from the challenge questions, to a much more sophisticated way of implementing dynamic KBA. The information comes from public records, credit records, judicial records, your ID card, and perhaps social networks. These have happened in recent years, and it seems to work for many. However, there are some issues to resolve, some of them seems to be universality, and privacy.
Universality.- When I contacted some of the dynamic KBA vendors, my biggest concern was that they don’t have universal solutions. They had access to country based public records, especially in the USA, UK, Canada and Australia. So what about the rest of the world? It is clear that for a transnational dynamic KBA solution, vendors will need to have data sources everywhere. Central American banks may not use dynamic KBA, because KBA providers don’t have data sources in those countries. So how can we kill static KBA, if Dynamic KBA solutions are not available in most countries?
Privacy.- Data protection, and privacy laws are stronger in some countries than others. So the meaning of public records, is related to jurisdictions. As an example, let’s think about personal data in Europe. The Data Protection directive forbids the transfer of personal data to third countries without an adequate level of protection1. Let’s analyze what is personal data under European law2:
(a) ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Furthermore, personal data has to be processed lawfully, fairly, and only for specific and legitimate purposes. The data subject has to “unambiguously give his consent”3 unless process is necessary for contract performances, legal obligations, vital interests of the data subject, or the public interest.
Following of all these paradigms and challenges, the answer is YES, we need to develop a KBA standard. Web application security is not only about secure coding, encryption, and patching vulnerabilities. Remote authentication is the core of security, and KBA implementations must follow basic guidelines, but not only for higher risk environments as banks, because security is interconnected and attackers will always find the weakest point of the security chain.