It <i>should</i> take a lot more than an compromised web server to gain long-term access to data feeds from LexisNexus and D&B. Even if the web server let them make API requests into the feed, you would think a regular usage report would show a discrepancy in the expected and actual number of requests, or if they attributed them to some user, someone complaining about getting over-billed.<p>For 4 million requests to be injected into their feed from a compromised server, it would suggest that they have essentially no audit logs or accounting systems in place beyond the front-end business logic. I wouldn't be surprised if that's illegal in some states. Maybe the NY AG can take a break from setting up fake yogurt shops on Yelp to catch bad reviews and look into this...<p>"We could well be witnessing the death of knowledge-based authentication, and it’s as it should be,” Litan said. “The problem is that right now there are no good alternatives that are as easy to implement. There isn’t a good software-based alternative."<p>I also hate the KBA questionnaires, and hope they die soon. Some people are working to solve this problem using Facebook or social proof. I'm not too fond of that idea, although in certain cases like AirBnB type scenarios, I can see where a Facebook hook adds a useful data point.<p>One approach I've <i>never</i> seen used but which seems like it provides two nice strong 'factors' is to put a temp charge to someone's credit card and ask them to tell you how much it was for, and then clear it. That would prove they have the card (including CVV2) and also that they have the login credentials for the account.<p>I think the credit card processor I use doesn't charge anything at all for a temporary auth. And I know at least AMEX, Bank of America, and Discover will show the temp amounts on their webpage in real-time.<p>So it's similar to the ACH method of making 2 random small-amount deposits, which is also considered 'gold standard' for linking a checking account, except if you used credit card temp auth, it's free, and real-time instead of .25 and 1 - 2 days of lag.
<i>“Data security is a company priority, and I can assure you that we are devoting all resources necessary to ensure that security.”</i><p>That's kind of an odd statement to make in this situation.