A recent data breach that may affect millions of credit card holders might have been caused by weak knowledge-based authentication used to secure an administrative account.
Visa and MasterCard are warning banks about a massive data breach at a major payment processor that may have compromised more than 10 million credit card numbers.
According to those alerts, the incident occurred between Jan. 21, 2012, and Feb. 25, 2012. The processor, Global Payments, discovered the breach in early March, security expert Brian Krebs reported.
The breach involved unauthorized access to Global Payments’ processing system which could have contained information from all major card brands. Data stolen could possibly be used by criminals to counterfeit new cards, according to the statements from Visa and MasterCard.
How did this major breach occur? It looks like hackers may have gotten into the system by correctly answering knowledge-based authentication questions to gain access to an administrative account, according to Gartner analyst Avivah Litan.
Knowledge-based authentication (KBA) requires a person to answer a series of questions to access a system — often personal questions answered by a user during registration, such as “What is your mother’s maiden name?” or “How did you meet your spouse?” KBA is often used in conjunction with passwords.
However, Litan and other security experts warn against relying on KBA, because the answers can often be guessed or learned by hackers through social engineering.
We’ll keep you posted as more information about the breach is available.