Face it: Your bank’s security questions need an overhaul. Long considered a fortress of protection, the challenge questions used by many financial institutions today are weak and ineffective. The answers aren’t difficult to guess and can usually be deciphered without actually knowing the person; they are just too easy to breach. Consider the standard questions:
-- What’s your mother’s maiden name? -- Where were you born? --What was the name of your high school?
These offered a good level of security in years past, but the modern social media landscape has rendered them useless.
Let’s examine where the security features of conventional challenge questions have failed. We now live in a hyper-connected, share-it-all environment where people post nearly everything about themselves. Rather than leveraging a subset of personal information rarely known only by the customer or the customer’s close relatives, banks are granting access to financial accounts based on data that is readily attainable on Facebook, Google+, and a slew of other places.
Ferreting out someone’s mother’s maiden name may be as simple as looking at the last names of those people tagged as family members on a Facebook page. Birthdates and mother’s maiden name can be picked up just by seeing a public Facebook post of “Happy birthday! Love, Mom” message. Addresses and phone numbers are routinely posted on similar sites to facilitate friendly contacts, and a little basic math may enable anyone looking at a high school reunion sites to determine a birth date or perhaps even a city of birth. And that final bastion of privacy—the Social Security number—hasn’t been truly “protected” since your customer applied for their first job or received immunizations as a child.
Your bank has several strategies to choose from when creating and implementing a new login security scheme. Some institutions have simply revised the questions customers can choose. Allowing customers to write their own questions is another option. This solution is not only a good way to provide customers with questions they can more easily remember (my favorite vacation spot changes every year!), it also makes it more difficult for cyber criminals to determine which bits of information they need to find in order to crack your system.
“Red herring” questions can add another layer of security to your bank’s authentication program. The customer knows that red herring questions should be left blank, but criminals will try to answer them. And because any response results in an automatic false positive, red herrings are ideally suited to be used in tandem with legitimate challenge questions.
Whichever option your organization selects, security is the ultimate goal. It shouldn’t be possible to find the answer to challenge questions by trolling through social media or other networking sites. Things like favorite books, movies, and bands (information commonly posted online) are taboo. Pets’ names and favorite sports teams should also be avoided. Offering customers a list of pre-selected questions allows your bank a degree of control over the strength of the answers. If customers are able to write their own questions, your security team should consider monitoring the questions to ensure they don’t include common key words or word strings that likely don’t meet your minimum security requirements.
As you transition customers to the new questions, be sure to caution them against using false answers, as they’re too easy to forget. (The constant need to click on the “forgot password” button on your website is an extremely effective way to encourage customers to either use easy to guess passwords or to choose your competitor.) In addition, putting measures in place to push customers to use stronger, smarter passwords or, better yet, pass phrases, is a recommended component of an authentication program. At a minimum, require that passwords meet a minimum number of characters, include upper and lower case letters and at least one number. And, do not permit passwords to be a word that is found in a dictionary or match the customer’s personal details (name, address, birth date, etc.) on file.
Deena Coffman is chief operation officer for IDT911 Consulting and Information Security Officer for IDentity Theft 911