Insecurity questions (Part 1)

‘Can we take you through security?’ is a very common question these days but just how secure are the questions being asked. There must be a point at which some become irrelevant such as mother’s maiden name and date of birth. With many companies asking for this information it must sooner or later become extremely difficult to remember who has what information. If specific security questions were limited to a specific profile of company, such as mother’s maiden name only being used for banking security, then its use would be somewhat limited and have more value.

While participating in a large information security improvement programme in the financial services sector, I met someone who had a creative solution to security questions; she had different mother’s maiden names for different companies, and a 2nd date of birth for any company she deemed didn’t really have the right to know when she was born.

Efforts have been made to diversify security questions but not without their own set of concerns and voiced frustrations. I refer to many instances where banks have called petrol stations to verify card holder identity and placed customers in a situation where they are unable to answer the questions, after the petrol tank had been filled. It certainly makes the account more secure but there is a trade-off between security and availability/usability for the genuine customer. What shows up on the bank statement isn’t always the same as what the customer expects to see.  For example, where a purchase is made from a store with a recognised brand name, but the transaction shows up as a registered company name. Customers are then asked about transactions from a company and they are not able to answer. These types of security questions do make it harder to breach using a set of immutable facts, but the answers might not be readily available when asked.

In one case I knew I had purchased something from a pharmacy. The caller told me all the details of the transaction except the name of the chemist and wanted me to confirm the name as a security question. There was no doubt in this case that the call was genuine, but I was not able to answer the question to their satisfaction. At a later date I was able to see that on the bank statement it showed the personal name of the pharmacist and not the business name.

How often does someone call you, then asks to take you through security questions, followed by shock and surprise if you say ‘What? You called me! I need to take you through security’. In most cases people respond by answering security questions.  This makes them very open to phishing attacks and harvesting of answers to so-called security questions, so it is understandable if someone feels the need to store in a vault their mother’s maiden names, dates of birth and other random information along with passwords which would be different for every service provider. Can you imagine the response you would get if asked for your date of birth and you said, ‘Give me a second, just opening my vault to check’, followed by ‘It’s a security question remember, everyone gets a different date’.

General observations are:

  • Security questions reflect facts about someone, facts which never change. If these are used on a website which is subsequently compromised, the security questions become permanently insecure.
  • Too much personal information is being requested which far exceeds the legitimate need for gathering and processing, and for the most part people feel compelled to answer because they are being asked
  • Security questions a far more valuable than passwords as they are often used to override the need for a password, such as when a password is forgotten
  • Answers to the most popular security questions can be found in a lot of cases through a combination of public records and social media websites
  • There is so much personal information out there that it undermines the very notion of security questions
  • Security questions are often so insecure that the only real solution is to use made-up answers and treat them like passwords

Using varied security questions based on very recent activity will improve security, but in the case of creatures of habit, the correct answer as it was 6 months ago could still be correct today.