Blog article
See all stories »

Personal Knowledge or Qualifying Questions as Authenticators

How many times have you forgotten a password? Fortunately the website you were on only needed your username or an email address and they would respond with a few questions for you to answer. Once you responded with what was in the system you then re-set your password and you’re in.  Easy peazy.

What’s your favorite food? Where did you honeymoon? Your first pets name? Name of your first car? The name of your elementary school?  Your fathers middle name? All these questions are meant to replace that used-to-be-secret-obscure word that only you and your parents would know the answer too – your mothers maiden name.

Then came Ancestry.com, Geneology.com, Google and for crying out loud Facebook. Now much of this information is available by doing a quick search online via public records or it’s easy to guess if the “hacker” is an acquaintance.

I’m a member of an organization in which I have been granted access to a bank account we have. But I haven’t accessed the account in months.  Since the last time I logged in the bank instituted a qualifying question as another layer of protection. Instead of calling the other person who was also managing the account I simply guessed the answer. “Where did you go to high school?” I didn’t know where this person went to high school but I knew where his mother lived. I entered the name of the town and BOOM, I was in.

It shouldn’t be that easy.

 

 

3043

Comments: (3)

John Dring
John Dring - Intel Network Services - Swindon 04 May, 2010, 09:32Be the first to give this comment the thumbs up 0 likes

Agreed. I just made a comment on the PIN problem Blog along similar lines - if making a record of your PIN/Password is a no-no, then what constitutes an acceptable reminder?  How would you even note a reminder for yourself for a password of "Qhos02!" for example.  Begins with Q ?  Or maybe "Quit whining about passwords TO remember!"

And what's with the call centres that attempt to authenticate you by asking your DOB and full address, and then proceed to administer your account for you on the phone?  I could be anyone.  Especially since so many sites ask you to register the same 'bank like' auth questions these days (just to look like they care about your security)?  They could be spread around and sold like CC number lists.  I still think a text alert or email everytime your account profile is updated is a must.

Robert Siciliano
Robert Siciliano - Safr.me - Boston 04 May, 2010, 12:15Be the first to give this comment the thumbs up 0 likes

Great feedback John, Thank you.

A Finextra member
A Finextra member 04 May, 2010, 14:46Be the first to give this comment the thumbs up 0 likes

I removed my DOB from my facebook account a while ago as a precaution against this sort of thing. Some information just shouldn't be *that* freely available!