Banks must ditch standard security questions - Symantec

Banks must ditch standard security questions - Symantec

Banks are putting their customers at risk by using standard security questions, such as mother's maiden name, to confirm identities online or over the phone, according to Symantec.

Although most UK financial institutions have introduced security features such as one-time passwords and card readers for online customers, the telephone banking system is still open to abuse, says the vendor.

Symantec points to the recent publication of the 1911 Census online as an example of the wealth of personal information now available on the Internet that can be used by criminals to find answers to potential security questions.

"All you need to steal someone's identity can be obtained simply by looking at the Census data," says Guy Bunker, chief scientist, Symantec. "Bank and credit card companies use information such as mother's maiden name as a standard security question but it's no longer enough. They have to start to look at other ways to be able to prove you are who you say you are."

The firm says banks must start asking questions that only the customer can answer and that don't appear on social networking sites. It also advises them to ask for individual characters such as the first, third and fifth letter of passwords, to make the criminals' jobs more difficult.

Despite the rise of Internet and mobile banking in recent years, millions of Brits still bank over the phone. According to payments association Apacs, 15.4 million people used telephone banking in 2006.

Comments: (3)

Keith Appleyard
Keith Appleyard - available for hire - Bromley 22 January, 2009, 15:55Be the first to give this comment the thumbs up 0 likes

Mothers Maiden Name was never a good idea - given that it was always in the public domain if you wanted to check with the Registrar of Births - the census just makes it easier.

For Hispanic names it was always a joke - given the convention of hyphenating both parents names together the conversation always went : Question : "Mr Sanchez-Ramos - what is your Mothers Maiden Name?" Answer : "you just said it to me"

A Finextra member
A Finextra member 22 January, 2009, 17:10Be the first to give this comment the thumbs up 0 likes

The fundamental issue is that the weakest link in the security chain is at the customer end and this includes 3 key weakpoints: the customer themselves, the computing device and or the phone being used to provide the private and confidential details. Most consumers just want to login without delay and are unaware of the security health of their computer or even the phone environment (they are mostly never a security expert so it is unfair to place all the onus on them) and therefore these private and confidential detail including mother's maiden name or birth date, etc, are so often simply compromised by the criminals, on sold to 3rd parties or used in real-time to access the consumers account or commit CNP fraud.

Financial institutions need to help consumers ensure the computer or phone itself has not been compromised before the customer even begins to type in their private and confidential details, plus ensure the banking session remains secure for the period of the transaction......and this goes for all e-commerce websites............the technology is available today and it is a simple step to implement.

Keith Appleyard
Keith Appleyard - available for hire - Bromley 22 January, 2009, 18:52Be the first to give this comment the thumbs up 0 likes

Of course the answer is : who said it has to really be your Mothers Maiden Name? Is the Bank etc going to validate it when you first supply it? Actually its just any old secret password, and so long as you remember what you supplied it can be any old Name. I opt for reverse logic - eg supply the Married Name of one of my Maternal Aunts - you'd have to search a long through the Census to find out what it is - and I could be lying anyway!