W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: Shared Public Knowledge

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Wed, 11 Apr 2007 21:14:53 -0400
To: <michael.mccormick@wellsfargo.com>, <public-wsc-wg@w3.org>
Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <007201c77c9f$fb1f3840$6500a8c0@dschutzer>
When you are trying to verify a customer for the first time (e.g. opening an
account and not a current customer); KBA or OOWA is one of the only ways to
verify that individual - the wrong address could be given, drivers license
could be counterfeit, etc. Once a relationship is formed there are stronger
ways to authenticate 



From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of michael.mccormick@wellsfargo.com
Sent: Wednesday, April 11, 2007 7:47 PM
To: public-wsc-wg@w3.org
Subject: Shared Public Knowledge


I had to drop off the line for a few minutes at the top of the hour during
this morning's meeting.  Regrettably that moment came during the Lightning
Discussions just as Chuck Wade was responding to MEZ's presentation on
Shared Public Knowledge (SPK).  By the time I rejoined to discussion had
moved on to the next topic.

What I would have said given the opportunity is that Chuck is 100% right.
In our industry this battle has been fought many times and I see little good
coming from taking a hard line against all online use of SPK.

Many US companies rely on services provided by the likes of Choicepoint &
Acxiom to perform Knowledge Based Authentication (KBA) or Out of Wallet
Authentication (OOWA) of consumers in certain situations, especially in
cases where no prior business relationship exists between the FI and said

These KBA systems typically ask a series of randomly chosen multiple choice
questions designed to score a user's knowledge of semi-private information
about himself or herself.  Examples might include "What model car do you
drive"? or "What's the amount of your monthly mortgage payment?".  A
determined criminal could undeniably obtain this information from public
sources, perhaps even use it to impersonate others, but that doesn't mean
there is no legitimate use case for KBA.

A blanket prohibition against KBA is unnecessary and would never be
accepted.  Asking the user enough SPK based questions is not an unreasonable
authentication technique as long as the associated risk is low, or when SPK
is only being used to supplement some other credential for extra assurance.

The much maligned Mother's Maiden Name is an example of weak KBA . but much
stronger ones are possible using the enormous databases of personal data
that are available from brokers today.  So I think the SPK "anti-pattern"
would benefit from being softened a bit to acknowledge there's a place for
it under certain conditions.

Thanks, Mike 

Michael McCormick, CISSP 
Lead Architect, Information Security Technology 
Wells Fargo Bank 
255 Second Avenue South 
MAC N9301-01J 
Minneapolis MN 55479 
*       612-667-9227 (desk)             *       612-667-7037 (fax) 
(       612-590-1437 (cell)             :-)
michael.mccormick@wellsfargo.com (AIM) 
*       612-621-1318 (pager)            *
<mailto:michael.mccormick@wellsfargo.com> michael.mccormick@wellsfargo.com 

This message may contain confidential and/or privileged information.  If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or
any information herein.  If you have received this message in error, please
advise the sender immediately by reply e-mail and delete this message.
Thank you for your cooperation.
Received on Thursday, 12 April 2007 01:15:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:36:44 UTC