Why are bank security questions so monstrously stupid?

Innovation, the Internet, gadgets, and more.
Jan. 29 2008 4:51 PM

In What City Did You Honeymoon?

And other monstrously stupid bank security questions.

Illustration by Mark Alan Stamaty. Click image to expand.

Verizon wants to know my favorite ice cream flavor, Google's got designs on my library card number, and Wachovia needs my favorite all-time entertainer. Yahoo! is asking where I met my spouse, and Bank of America wants the details of the honeymoon. Like those squiggly pictures of letters and numbers, weird personal questions have become ubiquitous totems of online security. If you tell the bank your favorite grade-school teacher or cartoon character, the thinking goes, it'll be easy to confirm your identify when you misplace your account number. This thinking is dumb.

Josh Levin Josh Levin

Josh Levin is Slate's executive editor.

Consider the samples above, all real security questions from real corporations. My favorite type of ice cream is probably cookie dough, but because of the vexing onset of lactose intolerance, I don't have any preferred flavors these days. I don't generally carry my library card and have no favorite entertainer, unless baseball players count. (Howard Johnson!) I'm not married, and I didn't especially care for any of my elementary school teachers. Favorite cartoon character? It's a different Simpson every day of the week.

Advertisement

Banks and cable companies and wireless providers (and perhaps your employer) try to use security questions as an authenticator when you forget your password and as an extra security layer during a "suspicious login"—when you, or perhaps a hacker, try to access your account from an unfamiliar computer. That's not how it works in practice. Security questions are often impossible to answer, frequently creepy (does the power company really need to know where you met your spouse?), and rarely secure—Paris Hilton's T-Mobile account was breached by hackers who guessed the answer to her secret question, "What is your favorite pet's name?" If these questions are galling to answer and don't enhance anyone's security, why are they suddenly omnipresent?

Financial institutions have long used questions to authenticate customers. If you lost your credit card in the 1980s, American Express might have asked for your mother's maiden name before issuing you another one. But such questions have become ubiquitous online only in the last 18 months. In 2005, the Federal Financial Institutions Examination Council wrote stricter security guidelines for online banking, explaining that a simple user name/password combo wasn't strong enough to lock up financial data on the Web. The FFIEC didn't spell out what security improvements were needed, letting the banks decide for themselves. And so a thousand idiotic queries blossomed.

Most banks get their security questions from a company called RSA. Marc Gaffan, RSA's director of product marketing, says 70 to 80 percent of American banks—including Bank of America, Wachovia, ING, Washington Mutual, and Vanguard—use RSA's Adaptive Authentication program. Adaptive Authentication offers its financial clients several ways to authenticate users; along with the secret-questions option, there's an image-based system, validation via text messaging, and a program that scans public records to automatically generate questions like, "What color was the car you registered in 1994?" Despite all of these choices, RSA estimates that 90 percent of banks are using security questions—also known as "shared secrets"—with 20 to 30 percent of clients using questions coupled with another method. (Bank of America, for instance, uses images and text messaging in addition to secret questions.)

Why are secret questions so popular? For one thing, they're cheap. Gaffan says that the lost souls who call in to get their passwords reset cost a company between $10 and $15 a pop; if that customer can reset the password himself using a secret question, the company pays nothing. The IT research firm Gartner claims that a large U.S. beverage producer saved $600,000 in one year by dumping help-desk calls in favor of an "automated password reset" system.

Question-based security is particularly enticing because it doesn't require mailing out equipment—like, say, random-number generators—to hundreds of thousands of users. Nor does it require spending millions to change software infrastructure. Banks have long used social security numbers and mother's maiden names to verify accounts. By comparison, an image-based or text-message-based system requires new technology, retraining call-center employees, and educating customers. Pretty much everyone has used security questions, and the concept is easy enough for even Paris Hilton to understand: Just choose a couple of answers when you sign up for an account, then regurgitate them when prompted.

While the concept of security questions is easy to grasp, the questions themselves are deeply weird and unanswerable. According to goodsecurityquestions.com, a how-to site operated by a Web usability expert, the best ones have four qualities: The answers are simple, memorable, can't be guessed easily, and don't change over time. Many questions we're all familiar with fail to match those specs. There are the ones that are too easy—I'm guaranteed to know my pet's name, but it's also elementary for a hacker to score that information. On the other side are the questions you can't answer or won't remember how you answered—your first-grade teacher's last name, your favorite rock band.

TODAY IN SLATE

Politics

Don’t Worry, Obama Isn’t Sending U.S. Troops to Fight ISIS

But the next president might. 

The Extraordinary Amicus Brief That Attempts to Explain the Wu-Tang Clan to the Supreme Court Justices

Amazon Is Officially a Gadget Company. Here Are Its Six New Devices.

The Human Need to Find Connections in Everything

It’s the source of creativity and delusions. It can harm us more than it helps us.

How Much Should You Loathe NFL Commissioner Roger Goodell?

Here are the facts.

Altered State

The Plight of the Pre-Legalization Marijuana Offender

What should happen to weed users and dealers busted before the stuff was legal?

Surprise! The Women Hired to Fix the NFL Think the NFL Is Just Great.

You Shouldn’t Spank Anyone but Your Consensual Sex Partner

Moneybox
Sept. 17 2014 5:10 PM The Most Awkward Scenario in Which a Man Can Hold a Door for a Woman
  News & Politics
Altered State
Sept. 17 2014 11:51 PM The Plight of the Pre-Legalization Marijuana Offender What should happen to weed users and dealers busted before the stuff was legal?
  Business
Business Insider
Sept. 17 2014 1:36 PM Nate Silver Versus Princeton Professor: Who Has the Right Models?
  Life
Dear Prudence
Sept. 18 2014 6:00 AM All Shook Up My 11-year-old has been exploring herself with my “back massager.” Should I stop her?
  Double X
The XX Factor
Sept. 17 2014 6:14 PM Today in Gender Gaps: Biking
  Slate Plus
Slate Fare
Sept. 17 2014 9:37 AM Is Slate Too Liberal?  A members-only open thread.
  Arts
Brow Beat
Sept. 17 2014 8:25 PM A New Song and Music Video From Angel Olsen, Indie’s Next Big Thing
  Technology
Future Tense
Sept. 17 2014 9:00 PM Amazon Is Now a Gadget Company
  Health & Science
Bad Astronomy
Sept. 18 2014 7:30 AM Red and Green Ghosts Haunt the Stormy Night
  Sports
Sports Nut
Sept. 17 2014 3:51 PM NFL Jerk Watch: Roger Goodell How much should you loathe the pro football commissioner?