In What City Did You Honeymoon?
And other monstrously stupid bank security questions.
Verizon wants to know my favorite ice cream flavor, Google's got designs on my library card number, and Wachovia needs my favorite all-time entertainer. Yahoo! is asking where I met my spouse, and Bank of America wants the details of the honeymoon. Like those squiggly pictures of letters and numbers, weird personal questions have become ubiquitous totems of online security. If you tell the bank your favorite grade-school teacher or cartoon character, the thinking goes, it'll be easy to confirm your identify when you misplace your account number. This thinking is dumb.
Consider the samples above, all real security questions from real corporations. My favorite type of ice cream is probably cookie dough, but because of the vexing onset of lactose intolerance, I don't have any preferred flavors these days. I don't generally carry my library card and have no favorite entertainer, unless baseball players count. (Howard Johnson!) I'm not married, and I didn't especially care for any of my elementary school teachers. Favorite cartoon character? It's a different Simpson every day of the week.
Banks and cable companies and wireless providers (and perhaps your employer) try to use security questions as an authenticator when you forget your password and as an extra security layer during a "suspicious login"—when you, or perhaps a hacker, try to access your account from an unfamiliar computer. That's not how it works in practice. Security questions are often impossible to answer, frequently creepy (does the power company really need to know where you met your spouse?), and rarely secure—Paris Hilton's T-Mobile account was breached by hackers who guessed the answer to her secret question, "What is your favorite pet's name?" If these questions are galling to answer and don't enhance anyone's security, why are they suddenly omnipresent?
Financial institutions have long used questions to authenticate customers. If you lost your credit card in the 1980s, American Express might have asked for your mother's maiden name before issuing you another one. But such questions have become ubiquitous online only in the last 18 months. In 2005, the Federal Financial Institutions Examination Council wrote stricter security guidelines for online banking, explaining that a simple user name/password combo wasn't strong enough to lock up financial data on the Web. The FFIEC didn't spell out what security improvements were needed, letting the banks decide for themselves. And so a thousand idiotic queries blossomed.
Most banks get their security questions from a company called RSA. Marc Gaffan, RSA's director of product marketing, says 70 to 80 percent of American banks—including Bank of America, Wachovia, ING, Washington Mutual, and Vanguard—use RSA's Adaptive Authentication program. Adaptive Authentication offers its financial clients several ways to authenticate users; along with the secret-questions option, there's an image-based system, validation via text messaging, and a program that scans public records to automatically generate questions like, "What color was the car you registered in 1994?" Despite all of these choices, RSA estimates that 90 percent of banks are using security questions—also known as "shared secrets"—with 20 to 30 percent of clients using questions coupled with another method. (Bank of America, for instance, uses images and text messaging in addition to secret questions.)
Why are secret questions so popular? For one thing, they're cheap. Gaffan says that the lost souls who call in to get their passwords reset cost a company between $10 and $15 a pop; if that customer can reset the password himself using a secret question, the company pays nothing. The IT research firm Gartner claims that a large U.S. beverage producer saved $600,000 in one year by dumping help-desk calls in favor of an "automated password reset" system.
Question-based security is particularly enticing because it doesn't require mailing out equipment—like, say, random-number generators—to hundreds of thousands of users. Nor does it require spending millions to change software infrastructure. Banks have long used social security numbers and mother's maiden names to verify accounts. By comparison, an image-based or text-message-based system requires new technology, retraining call-center employees, and educating customers. Pretty much everyone has used security questions, and the concept is easy enough for even Paris Hilton to understand: Just choose a couple of answers when you sign up for an account, then regurgitate them when prompted.
While the concept of security questions is easy to grasp, the questions themselves are deeply weird and unanswerable. According to goodsecurityquestions.com, a how-to site operated by a Web usability expert, the best ones have four qualities: The answers are simple, memorable, can't be guessed easily, and don't change over time. Many questions we're all familiar with fail to match those specs. There are the ones that are too easy—I'm guaranteed to know my pet's name, but it's also elementary for a hacker to score that information. On the other side are the questions you can't answer or won't remember how you answered—your first-grade teacher's last name, your favorite rock band.