PDA

View Full Version : When is a Security Question (tm) not a security question?


Aaaaaaaaaaaaaaaargh!
27th Sep 2008, 14:24
I do pretty much all my banking on line now. I've watched as banks and credit card companies have developed their online systems and I've noticed a disturbing trend in one of the new security features: the 'Security Question'.

You know the ones; they are questions they can ask you when you forget the account id, or password and only you are supposed to know the answer.

Except - and they probably didn't think of this - once you type them in to a bank's system, other people know the answers :rolleyes:

So who was your first grade teacher? What street did you grow up on? What is the name of your pet? etc etc

If knowledge is power, then information is currency and these are not good nuggets of information to have floating about in the ether. And no, they're not necessarily encrypted into the company's database, though that might help.

Think about it. Do you really want to be typing this stuff into a computer? After all it's information that is so unique, so private and so utterly useless that only you could know it ... which means that if anyone else ever knows it, they HAVE to be you right? because who else but you would know your teacher and your pet?

How to deal with it? I now use two passwords, one is the real password for the application and the other I enter as the answer to the Security Question. It might still get breached, but if it does they won't know the intimate details of my life.

ChrisLKKB
27th Sep 2008, 16:02
Think about it. Do you really want to be typing this stuff into a computer? After all it's information that is so unique, so private and so utterly useless that only you could know it ... which means that if anyone else ever knows it, they HAVE to be you right? because who else but you would know your teacher and your pet?

My solution is don't bank online. The only financial details that go into my pc are those of my credit card, I don't even like that but at least they credit card companies have an interest in preventing fraudulent activity on the card as it's their money.

A friend of mine worked on server security for a very large global corporation before moving onto bigger and better things and even to this day he wont bank on line.

BombayDuck
29th Sep 2008, 15:54
Mr. A - Except - and they probably didn't think of this - once you type them in to a bank's system, other people know the answers

not really - the answer is scrambled using high encryption and stored. When you forget your password and they ask you the question, your answer is scrambled and compared with the stored encrypted answer. using sufficiently strong encryption (128-bit and such) it would require lots of time for the average supercomputer to un-scramble the answer.

The real danger is when someone who knows you well wants to break in (ex-wife?). They know your mother's maiden names, your kids birthdays and your car numbers.

My suggestion is to always answer it wrong - when asked "mother's maiden name" for example, answer with your own middle name or that of a friend. Slightly trickier for you but MUCH tougher for someone else to catch - and more accounts are "hacked" into this way than through real hacking.

muppetbum
29th Sep 2008, 18:18
This is why you have to be really wary of posts on forums that invite you to do things like "generate your porn star name by using your mothers maiden name and the name of your first pet"
they are a haven for people trawling for that kind of info.

My bank has started to get really clever by asking security questions like " oh and do you still work at so and so location" where the answer is actually " errm , no I've never worked there"

Blues&twos
29th Sep 2008, 20:14
My bank recently asked me which supermarket I had used recently as a security question. Unbelievably, the conversation went:

Me: "Errrmm. Tesco?"
Bank:"Oh. No. Any others....recently?
Me: "Well, it could be Somerfield, I suppose"
Bank: "Er, no. Have you used any others?"
Me: "The only other one is Waitrose"
Bank: "There's another one...."
Me: "I don't think so. I bought some petrol last week from Tesco in Haverfordwest. Is that what you mean?"
Bank: "You haven't mentioned Morrisons"
Me: "Oh yeah, Morrisons. I don't usually use them, but I did recently".
Bank: "That's OK, how much do you wish to transfer?"

?????!!!!!

SXB
29th Sep 2008, 20:33
The unauthorised accessing of online bank accounts and credit cards is still mostly down to people being careless with their own account numbers and passwords, I've lost count of the number of times I've told my wife to stop writing down her password and leaving it next to the pc The banks do everything they can to limit fraud because they're the ones who end up paying for it.

Also, security questions are more linked with telephone banking rather than online banking. At my bank if you forget your online password then you either have to call in at your own branch or write to them, either way you'll get a new setup procedure via registered post about a week later.

frostbite
29th Sep 2008, 21:05
I don't use any proper words for passwords anywhere.

All totally made up, not even combinations of words, I have a knack of remembering them and yet sometimes struggle to remember what day it is.

Roger Sofarover
30th Sep 2008, 01:37
muppetbum

OMG!!!

This is why you have to be really wary of posts on forums that invite you to do things like "generate your porn star name by using your mothers maiden name and the name of your first pet"

I remember that thread! It got a large number of replies. I never gave it a second thought when i was reading it, it just seemed like fun. I don't think the thread is still around it seems to have gone. Was that a social experiment by someone to see how easy we would part with information?? A large number of people contributed. OMG!:eek::eek:

Aaaaaaaaaaaaaaaargh!
30th Sep 2008, 01:45
My bank has started to get really clever by asking security questions like " oh and do you still work at so and so location" where the answer is actually " errm , no I've never worked there"Ha! I'm in IT and as a contractor, so to actually have "worked" there.....it's a very broad definition.


either way you'll get a new setup procedure via registered post about a week later. Oh that's funny. Yes it's a good one. A week!!!!????!!!!???? :zzz:

Captain Stable
30th Sep 2008, 09:03
At my bank if you forget your online password then you either have to call in at your own branch or write to them, either way you'll get a new setup procedure via registered post about a week later.Sounds like a very good way to encourage people to write their passwords down and put them next to the computer.