security questions
Matt Ball
matt.ball at ieee.org
Wed Aug 6 14:24:55 EDT 2008
On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote:
>
> Wells Fargo is requiring their online banking customers to provide answers to security questions such as these:
>
> ***
>
> What is name of the hospital in which your first child was born?
...
> What was your most memorable gift as a child?
>
> ***
>
> It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks...
>
> Peter
Of course, this problem isn't limited to Wells Fargo: I think pretty
much all banks do it.
I've given this some thought, and am writing a program called "maiden"
(short for "mother's maiden name") for cryptographically answering
these questions.
The basic idea is that you take either a pass phrase or strong secret,
combine it with the question, compute the SHA hash, and use this to
create a word that looks semi-pronounceable as the answer to the
question.
Right now, I don't answer any of these questions with any guessable
information -- it's all the result of a cryptographic operation on the
question and a hidden secret.
Cheers,
-Matt
--
Thanks!
Matt Ball, IEEE P1619.x SISWG Chair
M.V. Ball Technical Consulting, Inc.
Phone: 303-469-2469, Cell: 303-717-2717
http://www.mvballtech.com
http://www.linkedin.com/in/matthewvball
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list