Why are bank security questions so monstrously stupid?

Innovation, the Internet, gadgets, and more.
Jan. 29 2008 4:51 PM

In What City Did You Honeymoon?

And other monstrously stupid bank security questions.

(Continued from Page 1)

Whereas it's easy to think of lousy questions, it's pretty much impossible to think of even one great one. Securitywise, though, a question is strong if it's unique: If every financial institution asked for your pet's name, phishers could focus all of their energy on sussing out that data. Gaffan says that RSA gives banks 150 questions to choose from, with the understanding that not every question will work for everyone. The problem isn't a failure of imagination on the part of the question-conjurers. It's the impossibility of coming up with a question that's easy to answer but hard to guess. After throwing in the caveat that "there is no one perfect question," the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn't have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling's birthday month? I'm guessing it would take a hacker two tries to get to February.

The fundamental issue here is the disconnect between the certainty of banking culture and the ambiguity of human decision making—a person's favorite celebrity or favorite band isn't as knowable or concrete as the amount of her last ATM transaction. Some banks, like Wachovia, understand that their customers might loathe the provided security questions. Their half-assed solution: giving users the option to write the questions themselves, the ultimate admission that shared secrets are less a security scheme than a cost-savings measure. Banks know that users will come up with questions that are easy to remember—"What is 2+2?"—and thus easy for anyone with a grade-school education to guess.

Advertisement

Of course, there are ways to get around these questions. There's no law that says you have to speak the truth—all you have to do is type in something you'll remember. Don't remember your third-grade teacher's name? Call her "purple." Or if you're paranoid about security, you can always just put nonsense in the answer field—nobody will guess that your pet's name is qqzzhskjafhdlkalkfdha. But why should it be up to us to subvert the banks' stupidity?

It's easy to blame all of this—the stupid questions, the stupid answers, the stupid workarounds—on the banks. Financial institutions don't want to help you; they want you to help yourself. Their primary goal is to get us to fix our own problems without dialing a 1-800 number. On the other hand, we hate customer-service calls just as much as the banks do. The one thing more annoying than trying to remember the name of your third-grade teacher is sitting on hold, repeating your account information for the eighth time, getting disconnected, calling back …

Perhaps the reason that banks use these questions, then, is because we want them. Bruce Schneier, the security guru and CTO of BT Counterpane, sees our impatience as the driving impulse behind the security question movement: "This is security clashing with customer service, because customer service says our customers are calling and saying I forgot my password … our customers are getting pissed off." With the proliferation of online banking and all manner of e-commerce, we're accustomed to handling transactions ourselves, without the mediation of a human being. Why should resetting our passwords be any different? No matter how irritating security questions are, we demand a solution that works as we're sitting at the laptop.

But just because customers value convenience over security doesn't mean banks should. Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA's Gaffan told me about a phone-based authentication system used by more than a dozen of the company's clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you're at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There's nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me. What's my favorite bank? The one that doesn't ask me stupid frigging questions.