Why are bank security questions so monstrously stupid?

Innovation, the Internet, gadgets, and more.
Jan. 29 2008 4:51 PM

In What City Did You Honeymoon?

And other monstrously stupid bank security questions.

(Continued from Page 1)

Whereas it's easy to think of lousy questions, it's pretty much impossible to think of even one great one. Securitywise, though, a question is strong if it's unique: If every financial institution asked for your pet's name, phishers could focus all of their energy on sussing out that data. Gaffan says that RSA gives banks 150 questions to choose from, with the understanding that not every question will work for everyone. The problem isn't a failure of imagination on the part of the question-conjurers. It's the impossibility of coming up with a question that's easy to answer but hard to guess. After throwing in the caveat that "there is no one perfect question," the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn't have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling's birthday month? I'm guessing it would take a hacker two tries to get to February.

The fundamental issue here is the disconnect between the certainty of banking culture and the ambiguity of human decision making—a person's favorite celebrity or favorite band isn't as knowable or concrete as the amount of her last ATM transaction. Some banks, like Wachovia, understand that their customers might loathe the provided security questions. Their half-assed solution: giving users the option to write the questions themselves, the ultimate admission that shared secrets are less a security scheme than a cost-savings measure. Banks know that users will come up with questions that are easy to remember—"What is 2+2?"—and thus easy for anyone with a grade-school education to guess.

Advertisement

Of course, there are ways to get around these questions. There's no law that says you have to speak the truth—all you have to do is type in something you'll remember. Don't remember your third-grade teacher's name? Call her "purple." Or if you're paranoid about security, you can always just put nonsense in the answer field—nobody will guess that your pet's name is qqzzhskjafhdlkalkfdha. But why should it be up to us to subvert the banks' stupidity?

It's easy to blame all of this—the stupid questions, the stupid answers, the stupid workarounds—on the banks. Financial institutions don't want to help you; they want you to help yourself. Their primary goal is to get us to fix our own problems without dialing a 1-800 number. On the other hand, we hate customer-service calls just as much as the banks do. The one thing more annoying than trying to remember the name of your third-grade teacher is sitting on hold, repeating your account information for the eighth time, getting disconnected, calling back …

Perhaps the reason that banks use these questions, then, is because we want them. Bruce Schneier, the security guru and CTO of BT Counterpane, sees our impatience as the driving impulse behind the security question movement: "This is security clashing with customer service, because customer service says our customers are calling and saying I forgot my password … our customers are getting pissed off." With the proliferation of online banking and all manner of e-commerce, we're accustomed to handling transactions ourselves, without the mediation of a human being. Why should resetting our passwords be any different? No matter how irritating security questions are, we demand a solution that works as we're sitting at the laptop.

But just because customers value convenience over security doesn't mean banks should. Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA's Gaffan told me about a phone-based authentication system used by more than a dozen of the company's clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you're at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There's nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me. What's my favorite bank? The one that doesn't ask me stupid frigging questions.

TODAY IN SLATE

The Slatest

Ben Bradlee Dead at 93

The legendary Washington Post editor presided over the paper’s Watergate coverage.

This Scene From All The President’s Men Captures Ben Bradlee’s Genius

Renée Zellweger’s New Face Is Too Real

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

Whole Foods Is Desperate for Customers to Feel Warm and Fuzzy Again

The XX Factor

I’m 25. I Have $250.03.

My doctors want me to freeze my eggs.

The XX Factor
Oct. 20 2014 6:17 PM I’m 25. I Have $250.03. My doctors want me to freeze my eggs.
Technocracy

Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

George Tiller’s Murderer Threatens Another Abortion Provider, Claims Free Speech

The Congressional Republican Digging Through Scientists’ Grant Proposals

  News & Politics
The World
Oct. 21 2014 3:13 PM Why Countries Make Human Rights Pledges They Have No Intention of Honoring
  Business
Moneybox
Oct. 21 2014 5:57 PM Soda and Fries Have Lost Their Charm for Both Consumers and Investors
  Life
The Vault
Oct. 21 2014 2:23 PM A Data-Packed Map of American Immigration in 1903
  Double X
The XX Factor
Oct. 21 2014 3:03 PM Renée Zellweger’s New Face Is Too Real
  Slate Plus
Behind the Scenes
Oct. 21 2014 1:02 PM Where Are Slate Plus Members From? This Weird Cartogram Explains. A weird-looking cartogram of Slate Plus memberships by state.
  Arts
Brow Beat
Oct. 21 2014 9:42 PM The All The President’s Men Scene That Perfectly Captured Ben Bradlee’s Genius
  Technology
Technology
Oct. 21 2014 5:38 PM Justified Paranoia Citizenfour offers a look into the mind of Edward Snowden.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.