Kyle Kilcoyne By Kyle Kilcoyne • December 11, 2017

600,000 US Driver's License Numbers Compromised in UBER Hack: Here's Why the Full Credential Matters

Major data breaches seem to happen everyday, and you aren't going crazy if it really does seem constant. Every year, the Ponemon Institute and IBM Security survey businesses to analyze how much data breaches cost them. This year, they heard back from 419 businesses from around the world. Every respondent experienced a data breach within the 12 months prior to the study. On the whole, the average cost was $3.62 million per data breach.

It shouldn't be a surprise that another business has fallen victim to a data breach. Details from last year's Uber attack are beginning to become public knowledge. For the most part, the information involved is not considered to pose a significant financial threat to consumers involved. However, there is one unique element to the breach event: The U.S. driver's license numbers of more than 600,000 Uber drivers have been compromised, according to TechCrunch. This is the kind of data breach that can happen to any business, but the involvement of driver's license numbers lend a new angle to an all-too-familiar occurrence.

The Driver's License Problem

At Confirm, we've discussed the limitations of knowledge-based authentication before and, in many cases, advocated for an alternative identity verification method based on using state-issued IDs, such as driver's licenses, alongside biometrics as a viable alternative. We aren't alone in this trend - we're just leading the charge, and the latest breach doesn't change anything. Driver's licenses are still just as viable as ever when used correctly for user authentication. The key is to avoid a few pitfalls that contributed to this most recent data breach.

The core problem is that some security-minded services may use detailed personal information, such as a Social Security Number or driver's license number, as a means of authenticating a user. These methods are almost as bad as passwords, as an attacker need only steal these identifiers and use them to perform identity fraud. The Confirm approach ties a presumed identity to an actual identity document. This link creates a strong authenticator for identity.

Unpacking the Loss of Driver's License Numbers

The fact that the Uber data breach involved driver's license numbers does make the event somewhat unique. Here's a look at how businesses can avoid running into a situation where highly sensitive personal data used for authentication ends up lost, and what companies can do to make their systems less reliant on single data points:

  • Don't store authentication data locally: If you're using driver's licenses or any other sensitive, personal document to verify someone's ID online, don't store that data yourself, where it's up for grabs in the event of a data breach. At Confirm, we do not store or write any data to disc. That means once the authentication tests have been performed, that data is either wiped or sent to a 3rd party for secure storage. This helps eliminate a potential area of risk.
  • Use the entire ID, not just the ID number: The Confirm platform analyzes fraud prevention details on physical, government-issed ID to perform deep data analysis for all of the information the document contains to verify an individual's identity. Relying on a single key attribute, such as a license number, creates a natural attack vector. This information alone is no stronger than a social securtity number or out-of-wallet question. In addition to authentication, Confirm can compare a consumer-captured selfie against the headshot on the ID. This links of a physical ID to a know identity.
  • Move beyond legacy documentation methods: Regardless of how you track user identities in your organization, any methodology that relies on you maintaining copies of data can create risk. Leverage services that depend on reliable third-party data sources so you don't inadvertently put customers at risk. 

At Confirm, we offer a new paradigm for ID verification that takes full advantage of today's digital technologies. Our solutions don't store user data and offer the robust security today's businesses need without creating additional risk. Download our free eBook "A New Paradigm for Identity Verification" below.