We have already illustrated that security questions are not secure, but this will continue for some time to come. The problem is that a lot of security questions and answers use immutable facts which are akin to having a never-changing password used in many different places. It is disproportionate, to enforce a password policy of minimum eight characters, mixed upper case and lower case, and including numbers and symbols, then for someone to reset it using your first school, the name of your dog and your mother’s maiden name?
With every data breach, more information about individuals becomes available in the public domain. Combined with information that people are openly providing on social media, results in the answers to the majority of security questions, based on unchangeable historical facts, readily available for use. It is also likely that large quantities of stolen data from multiple sources are already correlated to build a bigger picture of individual people. If this is not already true, it is a safe assumption that it will be in the future. Here are some thoughts on how to adapt:
- The most crucial point is that for the concept of security questions to work, the questions and answers need treatment with the same level of importance as usernames and passwords. Remember that security questions can reset and override the need for passwords or PINs.
- Advice that people should use different passwords for different systems is ubiquitous; however, for security questions to have security value, the same approach needs to be applied. It is daunting to think of having 200 mothers and needing to change them all every 60 days, but it’s not that bad; having one mother and multiple maiden names is sufficient. Also having a mother who was once called ‘Miss Yr66£1&Ld’ is acceptable. It is amusing when asked to confirm this by telephone. What is not funny is it being accepted by phone after giving only the first three characters. Some systems treat the answers to security questions like passwords, and call centre staff must correctly type the answer to access customer data. This approach provided an extra level of security which prevents call centre staff from accessing customer data when the customer is not present on the call.
- Exercising a certain amount of security due diligence when being asked for information is essential and will require a judgement call to be made. What is reasonable and unreasonable is somewhat subjective, and companies should only be requesting the minimum information necessary to fulfil their purpose. Name and address are obvious requirements if you place an online order which needs to be delivered, but you would not expect to be asked for a date of birth when placing an order.
Companies are behind with the idea that someone can have a cat called ‘G8ssJe4£!’. Being asked once to pronounce his name was followed with an explanation that the answer to my security question needed to be factual and could I give the real name so they could update my records. Not having a cat made that close to impossible.
Robert is an information security consultant with over 20 years of experience across various organisations, both in the United Kingdom and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Contact Robert directly through Linked In.