Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 137

Another technique, often used by banks and financial institutions, is to prompt the user for additional information pertaining to recent activities associated with their user ID or account. Banks might ask about the last five deposits, for example, while an insurance provider might ask for particular information regarding a recent claim that the (purported) user had submitted. Some secure systems also have displayed information regarding the last access attempt (failed or successful) made by the user and then asked for additional information as part of confirmation of the user's authenticity.

Conceptually, this is asking for information that the legitimate user should know, but in practice, it often ends up with the user having to access the systems themselves or their off-board (paper) records of system activity in order to answer the questions correctly.

In any event, use of such information only establishes that the person trying to access the system now already has enjoyed access to it previously, which does not help separate legitimate user access attempts from an attempted identity theft.