2009-12-24

Security Questions

Consider this. At online finance and banking-type sites, "Your security is important to us." In addition to standard login-id and password, for quite some time they've been fond of using these additional "security questions that only you will know".

Back in the day, it was always one thing in particular: "Mother's maiden name?" Obviously, only you will know that, because it's not important for anything. Well... except that NOW it's important because it got used everywhere as a security question. So every bank I dealt with knows it because they required it for me to do business with them.

So now that's been basically dropped, and a whole slew of other security questions have popped up. "Mother's date of birth?" "Childhood pet's name?" "Where did you go on your honeymoon?" (These are are all actual examples.) Obviously good security questions because no one would want to know any of this trivia.

HEY SECURITY DUMBASS -- AS SOON AS YOU ASK THIS QUESTION IT BECOMES OF INTEREST TO AN ATTACKER, AND THEREFORE A SECURITY VULNERABILITY.

What really pisses me off is that over time, these financial and business sites are going to know every scrap of personal information about my life if this goes on. All my relatives' and friends' birthdays. Nicknames and pets, favorite books/ authors/ places I dream of vacationing, etc., etc., etc. Every time one becomes somewhat widespread, they have to switch to something even more esoteric and private.

Nowadays I'm running into multiple sites (that I've used in the past) that are refusing to allow me access unless I give them some new tidbits of "security question" information. The nice girls at my local bank see my distress and helpfully suggest "Just make something up!" Which has the disadvantages of (a) now I'm not going to remember it and need to write it down, and (b) the fine print of the terms-of-service demand honest and factual information, and while I'm sure the tellers at the bank don't mind, I'm equally sure that the corporate entity will be happy to crucify me over a transgression like that if we ever get into a dispute.

Fuck that.

1 comment:

  1. Insecurity questions. I haven't published the books I've read or band or movies I like in my blog because of this. Ridiculous stuff. Plus there must be short dictionaries of pet names and popular movies and surnames such. The insecurity questions must be exceptionally easy to crack even if you keep this stuff secret. Maybe these obvious vulnerabilities (should have been) will bite the banks back in the ass someday.

    ReplyDelete