If you buy a new car and then show it off on social media, some schmuck would have the answer to a common challenge question in two-factor authentication.
I don’t mean just in the Anthony Weiner sense. I mean everyone should be more careful about the types of personal information they proudly post on social media. It might be tasteless to post your new car online, but it can also compromise your cybersecurity.
As more federal agencies move into two-factor authentication for online transactions, they are using databases from outside the government. A common challenge question asks: what is the make and model of the car you bought in a particular year? The federal government doesn’t keep databases of auto purchases, but the credit rating companies do. They offer their databases to government agencies for the purposes of ID verification.
If you did buy a new car and showed it off on Facebook, some schmuck would have the answer to a common challenge question. Yes, it’s a long shot but why create added risk?
A better two-factor approach is the one-time second password. It doesn’t exist in any database. You can’t weaken it for convenience or laziness. And it evaporates in 60 seconds whether you use it or not.
IRS Commissioner John Koskinen said his agency is having success with another type of second factor. As Federal News Radio’s Nicole Ogrysko reports, the agency will accompany 50 million W-2 forms with a unique 16-digit code. Online filers will get a prompt to type in the code. Presuming fraudsters don’t steal your mail, there’s no way they could have your 16-digit code. IRS also re-did its application for getting your tax transcript online, adding a one-time code sent to your phone.
In its video briefly explaining the process, “Hector” noted people won’t need a transcript at all if they retain three years of their own tax records. That’s the most cyber-safe option of all.
For some applications, two-factor authentication and the personal appearance remain necessary.
U.S. Customs and Border Protection uses the car and other challenge questions when you apply for its Global Entry trusted traveler program, which my wife and I did recently. Before even letting people apply, CBP requires travelers to enroll in GOES, the Global Online Enrollment System, which generates a unique ID number.
Then, the detailed online application only gets you pre-approval. Just like getting a common access card, to get Global Entry status you must appear in person at a Transportation Security Administration office with your passport and driver’s license. There, a CBP officer checks your stuff, takes fingerprints electronically and stamps the final approval.
The experts always say federal officials have to balance convenience and cybersecurity measures. When cyber is a route to physical security, as with Global Entry, convenience falls to a distant second place, as it necessarily must. I don’t know why more people don’t do Global Entry, or at least the domestic version, Pre. A half-hour online per person and a schlep to, in the case of D.C.-area residents, the Ronald Reagan Building in Washington, I feel is a small price to pay for keeping your shoes on at the airport for the next five years.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED