Knowledge-based authentication questions are answered more accurately by fraudsters than by legitimate account holders because the answers are in data broker databases

When you call your bank to reset your password or dispute a charge, the agent asks knowledge-based authentication questions: What street did you live on in 2015? Which of these lenders holds your auto loan? What was the monthly payment on your previous mortgage? These questions are pulled from credit bureau and data broker records. The problem is that the same databases are available to criminals. After the National Public Data breach, Equifax breaches, and countless data broker leaks, the answers to these questions are searchable online. A well-prepared fraudster who has purchased a victim's data file can answer these questions more accurately than the victim themselves, because the victim may not remember their exact address from 2015 or the precise monthly payment on a loan they paid off years ago. This means the identity verification step that banks, insurers, and government agencies rely on for phone-based authentication is actively working against legitimate customers and in favor of attackers. The FBI received over 5,100 account takeover complaints in the first months of 2025 alone, with losses exceeding $262 million. When the legitimate account holder calls back to report the fraud, they often fail the same KBA questions the fraudster passed, because the system is testing memorization of data broker records, not actual identity. This persists because KBA was designed in the early 2000s when personal details were genuinely private. Twenty years of data breaches have made those details public, but the financial industry has not migrated away from KBA because it is cheap, easy to implement, and does not require customers to install an app or use a hardware token. The regulatory framework still accepts KBA as a valid authentication method. Banks that want to replace it face the paradox that any stronger method, like biometrics or hardware keys, creates friction that drives customers away. The result is that the most common identity verification method used by American financial institutions is the one that attackers can defeat most easily.