Why are bank security questions so monstrously stupid?

Innovation, the Internet, gadgets, and more.
Jan. 29 2008 4:51 PM

In What City Did You Honeymoon?

And other monstrously stupid bank security questions.

(Continued from Page 1)

Whereas it's easy to think of lousy questions, it's pretty much impossible to think of even one great one. Securitywise, though, a question is strong if it's unique: If every financial institution asked for your pet's name, phishers could focus all of their energy on sussing out that data. Gaffan says that RSA gives banks 150 questions to choose from, with the understanding that not every question will work for everyone. The problem isn't a failure of imagination on the part of the question-conjurers. It's the impossibility of coming up with a question that's easy to answer but hard to guess. After throwing in the caveat that "there is no one perfect question," the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn't have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling's birthday month? I'm guessing it would take a hacker two tries to get to February.

The fundamental issue here is the disconnect between the certainty of banking culture and the ambiguity of human decision making—a person's favorite celebrity or favorite band isn't as knowable or concrete as the amount of her last ATM transaction. Some banks, like Wachovia, understand that their customers might loathe the provided security questions. Their half-assed solution: giving users the option to write the questions themselves, the ultimate admission that shared secrets are less a security scheme than a cost-savings measure. Banks know that users will come up with questions that are easy to remember—"What is 2+2?"—and thus easy for anyone with a grade-school education to guess.

Advertisement

Of course, there are ways to get around these questions. There's no law that says you have to speak the truth—all you have to do is type in something you'll remember. Don't remember your third-grade teacher's name? Call her "purple." Or if you're paranoid about security, you can always just put nonsense in the answer field—nobody will guess that your pet's name is qqzzhskjafhdlkalkfdha. But why should it be up to us to subvert the banks' stupidity?

It's easy to blame all of this—the stupid questions, the stupid answers, the stupid workarounds—on the banks. Financial institutions don't want to help you; they want you to help yourself. Their primary goal is to get us to fix our own problems without dialing a 1-800 number. On the other hand, we hate customer-service calls just as much as the banks do. The one thing more annoying than trying to remember the name of your third-grade teacher is sitting on hold, repeating your account information for the eighth time, getting disconnected, calling back …

Perhaps the reason that banks use these questions, then, is because we want them. Bruce Schneier, the security guru and CTO of BT Counterpane, sees our impatience as the driving impulse behind the security question movement: "This is security clashing with customer service, because customer service says our customers are calling and saying I forgot my password … our customers are getting pissed off." With the proliferation of online banking and all manner of e-commerce, we're accustomed to handling transactions ourselves, without the mediation of a human being. Why should resetting our passwords be any different? No matter how irritating security questions are, we demand a solution that works as we're sitting at the laptop.

But just because customers value convenience over security doesn't mean banks should. Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA's Gaffan told me about a phone-based authentication system used by more than a dozen of the company's clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you're at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There's nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me. What's my favorite bank? The one that doesn't ask me stupid frigging questions.

TODAY IN SLATE

Doublex

Crying Rape

False rape accusations exist, and they are a serious problem.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

The Music Industry Is Ignoring Some of the Best Black Women Singing R&B

How Will You Carry Around Your Huge New iPhone? Apple Pants!

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Television

The Other Huxtable Effect

Thirty years ago, The Cosby Show gave us one of TV’s great feminists.

Lifetime Didn’t Find the Steubenville Rape Case Dramatic Enough. So They Added a Little Self-Immolation.

No, New York Times, Shonda Rhimes Is Not an “Angry Black Woman” 

Brow Beat
Sept. 19 2014 1:39 PM Shonda Rhimes Is Not an “Angry Black Woman,” New York Times. Neither Are Her Characters.
Behold
Sept. 19 2014 1:11 PM An Up-Close Look at the U.S.–Mexico Border
  News & Politics
Weigel
Sept. 19 2014 9:15 PM Chris Christie, Better Than Ever
  Business
Moneybox
Sept. 19 2014 6:35 PM Pabst Blue Ribbon is Being Sold to the Russians, Was So Over Anyway
  Life
Inside Higher Ed
Sept. 19 2014 1:34 PM Empty Seats, Fewer Donors? College football isn’t attracting the audience it used to.
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
  Arts
Brow Beat
Sept. 19 2014 4:48 PM You Should Be Listening to Sbtrkt
  Technology
Future Tense
Sept. 19 2014 6:31 PM The One Big Problem With the Enormous New iPhone
  Health & Science
Medical Examiner
Sept. 19 2014 5:09 PM Did America Get Fat by Drinking Diet Soda?   A high-profile study points the finger at artificial sweeteners.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.