We have already illustrated that security questions are not secure, but this will continue for some time to come. It is more about how to adapt to the situation in a secure way rather than complaining too much about it. To start with the problem is that a lot of security questions and answers are based on immutable facts which is akin to having a password that never changes, and which is used in many different places. So why go to all the trouble of enforcing a password policy of minimum 8 characters, mixed upper case and lower case, and including numbers and symbols, then allowing it to be reset by telling someone the name of your first school, the name of your dog and your mother’s maiden name?
With every data breach, more information about individuals becomes available in the public domain. This, combined with information that people are openly providing on social media, results in the answers to the majority of security questions, based on historical unchangeable facts, being known and can be used. It is also likely that large quantities of stolen data from multiple sources can be correlated to build a bigger picture of individual people. If this is not already true, it is a safe assumption that it will be true in the future. Here are some thoughts on how to adapt:
- The most important point is that for the concept of security questions to work, the questions and answers need to be treated with the same level of importance as usernames and passwords. This is true so long as security questions can override the need for passwords or PINs.
- Advice that people should use different passwords for different systems is ubiquitous, however for security questions to have security value, the same approach needs to be applied. It is daunting to think of having 200 mothers and needing to change them all every 60 days, but it’s not that bad; having 1 mother and multiple maiden names is sufficient. Also having a mother who was once called ‘Miss Yr66£1&Ld’ is acceptable. It is amusing when asked to confirm this by telephone. What is not funny is it being accepted by phone after giving only the first 3 characters. Some systems treat the answers to security questions like passwords and they must be fully and correctly typed by call centre staff. This provides an extra level of security which prevents call centre staff from accessing customer data when the customer is not present on the call.
- Exercising a certain amount of security due diligence when being asked for information is essential and will require a judgement call to be made. What is reasonable and unreasonable is somewhat subjective and companies should only be requesting the minimum information required to fulfil their purpose. Name and address are obvious requirements if you place an online order which needs to be delivered, but you would not expect to be asked for a date of birth when placing an order.
Companies are behind with the idea that someone can have a cat called ‘G8ssJe4£!’. Being asked once to pronounce his name was followed with an explanation that the answer to my security question needed to be factual and could I give the real name so my records could be updated. Not having a cat made that close to impossible.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.