Acxiom gets personal with authentication

The process of logging into your stock portfolio online is about to get a lot more personal, according to Acxiom.

The Little Rock, Ark.-based data warehouse company last week announced FactCheck-X Authenticate, a new biographical authentication service that asks users random questions based on their personal lives. But some privacy advocates say the added layer of security is not worth the extra intrusion into our personal lives.

Acxiom's Web site says its "products and services help companies improve their results by providing greater insight into what drives their business--their customers, specifically their needs and wants." Jennifer Barrett, Acxiom's chief privacy officer, told CNET News.com that businesses today must have a higher level of authentication in certain cases. She cited the Patriot Act and the need for financial institutions to be certain they know the individuals who want to open new accounts in order to avoid money laundering.

A spokesman for the Electronic Frontier Foundation failed to see any advantage of the service. "Think of this as an expanded version of 'mother's maiden name,'" said the EFF's Lee Tien. "You are not the only one who knows the (facts), as your mother's maiden name suggests. At least with a random, newly assigned PIN it is a fair assumption that it is safe at the outset."

Barrett argued that passwords may be fine for some instances, but not all. For customers who require thorough authentication, using sensitive information taken from credit applications or knowledge-based authentication--where the customer chooses a security question and then answers it--do not work, Acxiom reasons. Instead, FactCheck-X Authenticate serves up to 100 random questions culled from a biographical profile, making it hard, says Barrett, for any criminal hacker to social engineer. Examples of questions used include:

• In what subdivision do you live?

• Where does your brother Mike live?

• Select a state which you were previously licensed to drive.

• How many fireplaces are in your current residence?

Barrett declined to cite specific sources, but said all information used for the biographical profiles came from public government files and private sources.

"True facts about your life are, by definition, pre-compromised," said EFF's Tien. "If the bio question is about something already in the consumer file, arguably the best kind of question is about something that is highly unlikely to be in one's consumer file and even useless commercially--like my pet's name."

Tien concluded: "In general, the public would be better off if less of this information about them was for sale, and if their accounts were secured by cheap, well-designed hardware authenticator devices" such as two-factor tokens.

Acxiom is one of several data warehouses that has made it into the news for high-profile data breaches. In 2003, Daniel Baas decrypted passwords, including one that acted like a "master key," to download customer information from Acxiom. While investigating Baas, the Justice Department announced additional charges in July 2004 against Scott Levine, who used the same public FTP server as Baas. Levine's Snipermail was a sub-contractor for a company working with Acxiom, and Levine also had access to customer information.

In both cases, Barrett said the customer data was either new data Acxiom was going to add to its database or data that had already been added to the database. "The clients had control of (the breached servers) as much or more than we did." Barrett insists that the most sensitive information, such as date of birth, has always been encrypted.

[lellebella]

Hey there Mr. Vamosi, last time I checked Axciom was headquartered in Little Rock,AR and does not even have an office in Georgia. Hmmm, makes me wonder about the "authentication" of this news ;)

[lellebella]

Hey there Mr. Vamosi, last time I checked Axciom was headquartered in Little Rock, AR and does not even have an office in Georgia. Hmmm, makes me wonder about the "authentication" of this news ;)

[lellebella]

Hey there Mr. Vamosi, last time I checked Axciom was headquartered in Little Rock, AR and does not even have an office in Georgia. Makes me wonder about the "authentication" of this news ;)

[FreightAxxess]

The first time I signed into a broker account several years ago, the sign-in process started asking me questions about my residence, my children, my children's spouses and other stuff, some of which was more than 20 years old at the time.

I wondered where they got that data because I never gave it to them. Some of it was even incorrect. So this is not all that new.

[Pete Bardo]

If Axciom can compile this data, why would we think anyone else was unable to do the same? Looks like more vaporware-hype to me. I haven't authorized them to hold any of this information on me. Where and how do I get my info removed?

[tppcnet]

Who the hell would think of this as a good thing? Other than Acxiom that is.

The only thing this shows is that Acxiom is willing to use your information (all of it) in any way it can to make a buck. They already sell it to anyone who pays what they're asking no matter who the hell it is. Now they're creating "value-added" services based on it.

What we need instead is for Acxiom and companies like it to cease operating.

[Thomas, David]

I've worked with their data before. Highly prone to inaccurate, outdated information. This is a poor basis to start. The actual idea is poorly thought out, unless it is an intended means by Axciom to get the public to update their database for them (since theirs is prone to errors).
Bottom-line, this type of authentication is weak.

[H0Gwash]

Acxiom derives its data from a number of sources, credit data from the credit bureaus, data from state and federal government, USPS, real estate valuation data, warranty program data, member data associated with loyalty programs, and subscription/renewal data. These source providers make money (royalties) for the amount of data used, generally based on the number of records, attributes e.g. name, address, SSN, FICO score, etc., and the other data scrubbing, enrichment, and correlation techniques. Companies that work with the likes of Acxiom, credit card issuers, publishers, retailers, or other companies that market to consumers use companies like Acxiom to help them better target their customers.

They are very good about following the letter of the law surrounding consumer privacy unlike these fly by night companies that do things like private investigations for a nickel, figuratively speaking. That said, the way they get around some of these DO NOT CALL lists which are intended to help you block harassing solicitations (from companies or people you have no interest in and allow companies that you are either a member/subscriber of their program, service, or use their product. In theory these companies can only solicit consumers that they are entitled to. To you an analogy, the front door is locked to those that don't have a key. So what does a company do, they get their buddy that has a key, and they help them open it.

Through companies like Acxiom, these companies broker data partnerships either to gain better information on their own members or to expand their customer or prospect universe e.g. airline loyalty program combined with hotel loyalty program combined with credit card issuer, and on and on; these member lists can be brought together using various data matching and enrichment techniques when performed by a third party intermediary like Acxiom (rules set forth by FCRA to enable marketing organization to get at certain consumer credit information without compromising consumer privacy, or at least that was the intent of the program). These member loyalty programs when combined by companies like Acxiom provide some very interesting opportunities for these member partners. They get them much better insight into who you are, what your credit worthiness is, are you married, do you have kids, if so how many, sex, age, etc., where you shop, what you shop for, where you sleep, how often you sleep there, where you eat, what you read, other lifestyle details...

Get the picture, they know EVERYTHING about you. Think you are private on these blogs, think again. The web is your friend and your enemy. It's not just cookies you have to worry about, it's the javascript, flash content, etc., and yes companies' web portal that provide you free content all have a string. They make their money by selling or using informaiton about what you click on, when you click on it, what frequency, where you click to and from, proximity, and even your GEO location based on your IP (static or dynamic). In other words, there is no such thing as privacy if you use the Internet as most of us do.

That said, what is needed is legislation to say that any information that effects you, is YOUR information and at a minimum you have a right to know when, where, and what frequency it is being used. I would go so far to say, that I would want to see legislation that requires consumers to be paid on their data usage and anyone knowingly using one's private information without their permission should face both criminal and civil consequences.

Also, when we check the Agree box on those Terms and Conditions, we give these companies much more than our acknowledgment that we will not misuse their product, service, etc.; often there are membership data sharing terms that may be embedded in those agreements.

So we either accept this as reality or we expose these practices to get tighter legislation and not legislation that says they are representing our best interests but instead weaken them as in the case with getting national privacy laws to override stricter state laws e.g. California consumer privacy laws that were much more punitive (which consumer marketing firms loathed).