security questions

Leichter, Jerry leichter_jerrold at emc.com
Wed Aug 6 12:17:53 EDT 2008


On Wed, 6 Aug 2008, Peter Saint-Andre wrote:
| Wells Fargo is requiring their online banking customers to provide
| answers to security questions such as these:
| 
| ***
| 
| What is name of the hospital in which your first child was born?
| What is your mother's birthday? (MMDD)
| What is the first name of your first roommate in college?
| What is the name of the first street you lived on as a child?
| What year did you start junior high/middle school? (YYYY)
| What is your oldest sibling's nickname?
| What is your dream occupation?
| What is your spouse's nickname?
| In what city was your father born?
| What is the name of the high school you attended?
| What is your best friend's first name?
| What is the name of the junior high/middle school you attended?
| What is the first name of your maternal grandfather (mother's father)?
| What is the name of your favorite childhood superhero?
| In what city did you meet your spouse?
| In what city did your parents meet?
| In what city did you attend high school?
| What is name of the hospital in which you were born?
| What is the last name of your favorite teacher?
| In what city was your maternal grandmother (mother's mother) born?
| What was your most memorable gift as a child?
| 
| ***
| 
| It strikes me that the answers to many of these questions might be
| public information or subject to social engineering attacks...
These kinds of questions used to bother me.  Then I realized that
*I could lie*.  As long as *I* remember that I answer "What is your
mother's maiden name" with "xyzzy", the site and I can be happy.

Well ... happier, anyway.  The only way to remain sane if you take
this approach is to use the same answer at every site that asks
these security questions.  But that's not good, especially since
most of these sites appear to make the *actual value you specified*
available to their call centers.  This is nice if you can't remember
the exact capitalization you used, but it does, of course, leak more
information that you'd rather have out there readily accessible.

For Web sites these days, I generate random strong passwords and keep
them on a keychain on my Mac.  Actually, the keychain gets synchronized
automatically across all my Mac's using .mac/MobileMe (for all their
flaws).  When I do this, I enter random values that I don't even
record for the security questions.  Should something go wrong, I'm
going to end up on the phone with a rep anyway, and they will have
some other method for authenticating me (or, of course, a clever
social-engineering attacker).

The only alternative I've seen to this whole approach is sold by
RSA (owned by EMC; I have nothing to do with the product, but will
note my association with the companies) which authenticates based on
real-world data.  For example, you might be asked where you got
coffee this morning if your credit card shows such a charge.  This
approach is apparently quite effective if used correctly - though
it does feel pretty creepy.  (They were watching me buy coffee?)

							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list