Last February, I complained about my bank's updated security requirements which require me to answer three so-called personal questions. Today, I found out that the situation is even more annoying than I had originally thought. They want me to change my questions annually.
My bank does this by randomly selecting questions from some list, and presenting three non-overlapping groups of questions. Last year, I had to repeatedly generate new questions (by quitting the process and logging back into the website) until I could get one question in each of the three groups that I could actually answer. The questions this year appear to be worse. Or maybe they're asking the same questions, and I'm just crankier about it because I didn't think that I'd have to go through this whole thing again.
Reading through my bank's website, I see that they're going to continue to do this about once a year. This is enough to make me consider switching banks. I'm generally happy with my bank, but I've recently established a relationship with another bank for a mortgage. The general desire to minimise the number of accounts that I need to login to and the specific desire to avoid security features which don't actually make my account more secure is enough to make switching banks look rather attractive.
Another point that annoyed me about going through this process this time was reading the FAQ to see why they were doing this again. I'm rather annoyed that the FAQ insists that my personal information is even safer than before. If they're going to make that kind of assertion, I'd like to see some kind of proof. They also recommend that, if you have a joint account and both of you login, you should select answers together so that both of you know them. But their questions are all written with a single answerer in mind, so both parties have to somehow know where one of their four (or more, if there were divorces) grandfathers were born.
My favourite useless question of those presented to me is 'what is your favourite culinary ingredient', although 'what was the family name of your nearest neighbour in 2000' is a close second, and 'how much were you paid per hour in your first job' is also entertaining. The first is rather subject to a brute-force attack (how many people are going to answer 'garlic' or 'chocolate' to the first?), the other two are questions that I will never be able to answer. I also liked that one of the so-called secure questions is to ask for the name of my high school, which anyone who has access to my Facebook profile can answer.
All of this serves to make my account less secure in practice. I'm generally a good girl about passwords: I update them regularly, they're never things that people could guess (they're randomly-generated strings), I don't share them with anyone, I don't even write them down. I somehow manage to keep all of my passwords in my head -- I don't use any utilities to keep up with them for me. But answers to questions like these, even ones that supposedly I'm the only one who will know, I'm not going to remember very well. Someone suggested ignoring the questions and treating them all as password fields themselves, but I'm not going to be able to remember something used so infrequently. In any case, it seems likely that I'm going to have to write the passwords down, which is inherently less secure than keeping them all in my head.
If they really wanted to be "more secure", then they'd suck it up and offer two-factor auth, and be done with the lamer password games.
I hate the questions that some banks issue here (in the UK), and I never remember them either, nor are they secure!!
The best system I have seen so far is probably HSBC in Hong Kong, where a two-factor code system is in place.
You have to type in your own username, followed by an alphanumeric password, and a hardware device that generates a six-digit code (that is presumably synced with some number held on their computer systems).
Thus – there is just one single password to remember, and a hardware device to bring along...
I actually work in this area - it's my day job. I've managed to get rid of these STUPID questions (which are hateful UX and insecure) twice so far. I'm about to succeed a third time.
Questions and answers are not the answer to any question any serious security person asked. There are legal and privacy issues with them.
* You cannot ask "what's your mother's maiden name". Not only is this dumb, it's illegal - you cannot ask a question about another person without their consent unless they are dead. STUPID
* You cannot collect SSN, Driver's license numbers, or any government ID unless you are working for the government in that capacity. STUPID
* You cannot ask simple questions like "what's your favorite color" as 90% of folks will answer red or blue.
* You cannot ask folks what their pet's name is, as there is a non-zero chance that this answer will also be their password. Plus, if you're anyone like me, my domain name is my pet's name. STUPID
As you point out, the social network generation eliminates most of the questions and answers as being secret simply because they are not secret.
You can see what we replaced it with here:
http://www.nab.com.au/Personal_Finance/0,,84176,00.html
I believe Bank of America has finally ditched Passmark (1 factor auth) with a similar SMS or IVR 2FA system. Citibank HK has this as well.
Passwords for financial uses were dead and gone in the 1990's. The fraud cost from them is about $60-70k per month per million customers for your average well managed bank. That's a lot of tokens you can buy every month, and they do eliminate fraud and MITM attacks if implemented well.
Simple tokens are not the solution - it has to be two factor transaction signing. I'm not so concerned if the IB app allows passwords in, but using a trx signing mechanism for value transactions that send money out of the financial institution is the key to eliminating fraud.
SMS 2FA trx = about 0.05 c per trx, and you can optimize the trx path so that the user can authorize certain folks as trusted individuals modulo keeping an eye out for mule accounts. True 2FA trx signing calculators are not expensive and are suitable for institutional and major investors. They certainly allow more secure business to go on.
Questions and answers are dumb, insecure, some questions are illegal to ask, some answers are illegal to collect, do not meet IT security policy requirements for secure password handling, are illegal under the Patriot act's requirements to prevent money laundering by strongly identifying banking customers, and lead directly to fraud and consequential loss. That is my professional opinion, and I have stamped them out, and I will stamp them out again before I am done.
thanks,
Andrew
The Government's home land security now requires banks to institute the 3 question, password, and id number, access type of security and they ask you to register your computer. If you do not allow this intrusive registration snoop then after 4 times accessing your accouint you are asked the extra questions and may even have your online access to your account (not your bank account just online access) locked out, and you must call the bank and give them information before they will unlock your access. So every 4 times you use online banking you will have a second or 3rd question asked or be locked out and need to call if you do not allow them to register at least one computer you use, it is still supossidly voluntary but with more hassle than it's worth if you don't. The bank claims it is just a simple cookie but I have found it in my registration files and had to manually take it out. This is just a way for Big Brother to keep tabs on honest citizens.