On February 27th 2023, The Texas Tribune reported that the Texas DPS (Department of Public Safety) accidentally sent more than 3,000 drivers licenses to an organized crime group which was targeting Asian Texas. Read the full article here: https://www.texastribune.org/2023/02/27/texas-drivers-license-theft-dps/
That’s a lot to unpack! How did this happen, how did they discover it, and what could have been done to prevent it?
Photo by Terrance Barksdale
It all started when Texas DPS created an online portal for people to renew or replace their lost drivers’ licenses. Most states have a system that allows people to electronically replace their driver’s license, but Texas’s made a critical mistake: in order to verify a person’s identity, they asked them for “Knowledge Based Answers” (KBA).
You’ve probably had to answer KBAs before – they’re things like, “Which of the following addresses did you live at in 2005?” and “How much is your monthly payment to Honda Financial?” These questions are a great tool for eliminating fraud. After all, how many people know your mother’s maiden name or what your last year’s tax return amount was? Well…
As it turns out, a crime ring targeting Asian Americans scoured the dark web for personal information on certain Texans. Information that would typically be available in a credit-header database or in a comprehensive report – similar to kinds of data that USInfoSearch sells. With that information in hand, the criminals were able to give KBAs for all of the questions that Texas DPS was using to verify those individuals’ identities.
How was it caught? According to The Texas Tribune, the issue was first brought up to Texas DPS by their credit card processor who had noticed a higher than usual number of failed CVV2 transactions (you know that little 3 digit code on the back of your credit card?). At this point, DPS had already dispatched more than 3,000 drivers licenses to the crime ring.
It is unclear whether the criminals updated the photos on the drivers licenses, but based upon the report, they were intending to use the IDs on people who looked similar to the victims.
So how could this have been prevented? Simple: multi-factor authentication (sometimes called 2-factor authentication, MFA, or 2FA). KBAs only verify a person’s knowledge, not their identity – and they should never be used as a end-all-be-all to identity verification. Using an MFA solution, the victims would have received a text message or phone call from Texas DPS to the phone number they had on file. That text message would have had an authentication code that the attackers would be required to fill in before accessing the portal. This is a simple mechanism that most banks, businesses, and public safety departments already employ. Heck, even Twitter offers MFA.
This is why when you log into your USInfoSearch account, we’ll not only ask you for your password (knowledge) but we’ll also send you an MFA code (identity) to make sure we’re only giving access to the real you.
If you’re having issues logging into your account, you can always feel free to reach out to our support team. A USInfoSearch employee will never ask you for your password.
If you’d like to set up a KBA or MFA login system within your place of business, get in touch with our sales staff and we’ll be happy to help you get the ball rolling in a safe and secure direction.
