In recent months I’ve noticed a disturbing trend. More and more organisations are adding additional layers of “security”, in the form of supplementary security questions, to their websites and call-centre interaction. In addition to a username and password, they now want you to provide your date of birth and answers to a number of pre-selected security questions which can be used to “verify your identity”. The troubling thing is that everybody seems to use the same set of questions.
Here’s an example set from a well-known fruit-based purveyor of expensive shiny things and light entertainment:
- The name of your home town
- What you studied in college
- Your first job
- The name of your favourite pet
- The name of your eldest sibling
- Your first bike or car
- Your childhood hero
- Your first school
- The name of your firstborn child
- Your lucky number
- Your secret word
- The name of your first employer
- The name of the street you grew up on
- The name of your best friend
- The name of your all-time favourite teacher
Take a good look at that list. Assume you have to provide answers to between three (litigious fruity people) and six (example bank) of these questions. Rule out the ones that don’t apply to you – perhaps you didn’t go to college, didn’t have pets, are the eldest child, don’t drive, don’t do hero worship, don’t have children and aren’t superstitious. That leaves eight possible questions. We’ll ignore the “secret word”, since that’s just another password, and you have one of those already. So that’s seven. We’d better leave out the best friend, too, since you have to remember these answers indefinitely, and you might feel differently about your friends in six months’ time. So that’s six from six.
Now ask yourself: when your bank upgraded its on-line (or telephone banking) security, did it also include a list of supplementary security questions? Was their list disturbingly similar? How about your stock or currency trading account, or your credit card provider?
How many organisations have the answers to these same questions? How much do you trust them to keep this information secure?
Of course, sometimes they offer you the chance to make up your own question. But that’s just passing the problem of coming up with an original set of questions for each site – and remembering the answer – over to you.
You can lie; but then you have to remember what lie you told to whom, so you’ll either tell the same lie to multiple organisations, or have to write the answers down somewhere, which rather defeats the purpose of the exercise. Oh what a tangled web and so on…
In the security biz, we talk about authentication “factors” – ways of identifying a specific individual. You may have heard people talk about “two-factor authentication”; in fact your bank may well have given you a gadget to generate a special code when you log in to their website. This is because the different factors are:
- Something you know – a username, a password, the answers to these supplemental questions…
- Something you have – a swipe card, a code-generating widget (a “token” in infosec-speak), a physical key etc
- Something you are – a fingerprint, a retinal or iris pattern, DNA, hand geometry and so on
Having more than one kind of factor involved in authentication makes it more secure. Having more than one of the same kind of factor, especially if that’s “something you know”, arguably makes it less secure.
Why?
Because when your data (your “personally identifiable information” or PII) is compromised, it’s generally all compromised at once. So all the “things you know” are in circulation. Worse, the supplemental security question answers aren’t likely to have been one-way encrypted (unlike your password) because the call-centre staff need to be able to read the answers when they ask you the questions.
Besides which, if you look at the questions I listed, how hard would it be to work most of the answers out from your Facebook and LinkedIn profiles?
But from the point of view of the bank, or the fruity people, someone who can answer the supplemental identity questions is more likely to be you. So if I call up pretending to be you and say “I can’t remember my password“ and I can answer their randomly-selected supplemental questions, I’m more likely to gain access to your account. If their random selection is coming from the same six questions you’ve been able to answer for ten different organisations, and one of those ten has had a breach, you’re in trouble.
What’s the answer from a consumer perspective? I don’t have a good one, but here are some suggestions:
- Choose a bank that uses a proper hardware token to authenticate you. This is your money at risk. Bear in mind that the widgets where you put your credit card in and key in a challenge value to generate a passcode aren’t proper tokens – they all produce the same output for the same input and same card. Which is daft, since it makes possession of your card the actual security.
- Where possible, avoid organisations and websites that needlessly over-secure. Think about the value of what they’re protecting (some songs, for example, or in one bizarre case in my experience the details of your previous orders of computer bits) and compare it to the risk of giving them the data (the contents of your bank account).
- If you really have to use organisations that use supplemental questions to protect low-value data, spend some time making up and memorising a set of false answers. Be sure you know which set you’ve used where, of course – and don’t write them down. Be careful though that your answers are only relevant and recorded for security authentication – don’t commit fraud unintentionally.
- Keep a separate credit card, with a low credit limit, for on-line and telephone purchases; make sure it’s only associated with one set of supplemental answers. If you can, don’t get it from the same financial services provider that handles your main bank account. Assume it will be compromised, so get a replacement card with a new number regularly. You’ll have to update recurring subscriptions with the new card details, but this is a small price to pay.
If you run a site, then here are some pointers for you:
- Match your security to the value of the assets secured. Be open and clear about how secure your site is, but don’t feel pressurised to over-secure it. My holiday snaps don’t need the same level of security as my bank account. If they do – because I’m an A-list celebrity – then I shouldn’t be putting them on the internet in the first place. On the other hand, if you run a bank or a stockbroker, stop nickel-and-diming and start handing out tokens.
- Don’t retain data you don’t need, and don’t make your life harder by capturing additional sensitive data to protect the data you already have.
- Don’t assume people give a damn about your website, or use it often. Don’t replace personal data questions with site usage questions. You might think it’s clever to ask “When did you sign up?” because you already have the answer, but I don’t remember and don’t care.
- Start by reviewing your password policy. Chuck out the requirement for a mixture of letters, numbers and symbols and ask for a two or more word passphrase instead. Don’t take my word for it, read a webcomic instead.
A bigger picture 
2 thoughts on “Why “improved” on-line security could compromise your bank account”