Verizon wants to know my favorite ice cream flavor, Google’s got designs on my library card number, and Wachovia needs my favorite all-time entertainer. Yahoo! is asking where I met my spouse, and Bank of America wants the details of the honeymoon. Like those squiggly pictures of letters and numbers, weird personal questions have become ubiquitous totems of online security. If you tell the bank your favorite grade-school teacher or cartoon character, the thinking goes, it’ll be easy to confirm your identify when you misplace your account number. This thinking is dumb.
Consider the samples above, all real security questions from real corporations. My favorite type of ice cream is probably cookie dough, but because of the vexing onset of lactose intolerance, I don’t have any preferred flavors these days. I don’t generally carry my library card and have no favorite entertainer, unless baseball players count. (Howard Johnson!) I’m not married, and I didn’t especially care for any of my elementary school teachers. Favorite cartoon character? It’s a different Simpson every day of the week.
Banks and cable companies and wireless providers (and perhaps your employer) try to use security questions as an authenticator when you forget your password and as an extra security layer during a “suspicious login”—when you, or perhaps a hacker, try to access your account from an unfamiliar computer. That’s not how it works in practice. Security questions are often impossible to answer, frequently creepy (does the power company really need to know where you met your spouse?), and rarely secure—Paris Hilton’s T-Mobile account was breached by hackers who guessed the answer to her secret question, “What is your favorite pet’s name?” If these questions are galling to answer and don’t enhance anyone’s security, why are they suddenly omnipresent?
Financial institutions have long used questions to authenticate customers. If you lost your credit card in the 1980s, American Express might have asked for your mother’s maiden name before issuing you another one. But such questions have become ubiquitous online only in the last 18 months. In 2005, the Federal Financial Institutions Examination Council wrote stricter security guidelines for online banking, explaining that a simple user name/password combo wasn’t strong enough to lock up financial data on the Web. The FFIEC didn’t spell out what security improvements were needed, letting the banks decide for themselves. And so a thousand idiotic queries blossomed.
Most banks get their security questions from a company called RSA. Marc Gaffan, RSA’s director of product marketing, says 70 to 80 percent of American banks—including Bank of America, Wachovia, ING, Washington Mutual, and Vanguard—use RSA’s Adaptive Authentication program. Adaptive Authentication offers its financial clients several ways to authenticate users; along with the secret-questions option, there’s an image-based system, validation via text messaging, and a program that scans public records to automatically generate questions like, “What color was the car you registered in 1994?” Despite all of these choices, RSA estimates that 90 percent of banks are using security questions—also known as “shared secrets”—with 20 to 30 percent of clients using questions coupled with another method. (Bank of America, for instance, uses images and text messaging in addition to secret questions.)
Why are secret questions so popular? For one thing, they’re cheap. Gaffan says that the lost souls who call in to get their passwords reset cost a company between $10 and $15 a pop; if that customer can reset the password himself using a secret question, the company pays nothing. The IT research firm Gartner claims that a large U.S. beverage producer saved $600,000 in one year by dumping help-desk calls in favor of an “automated password reset” system.
Question-based security is particularly enticing because it doesn’t require mailing out equipment—like, say, random-number generators—to hundreds of thousands of users. Nor does it require spending millions to change software infrastructure. Banks have long used social security numbers and mother’s maiden names to verify accounts. By comparison, an image-based or text-message-based system requires new technology, retraining call-center employees, and educating customers. Pretty much everyone has used security questions, and the concept is easy enough for even Paris Hilton to understand: Just choose a couple of answers when you sign up for an account, then regurgitate them when prompted.
While the concept of security questions is easy to grasp, the questions themselves are deeply weird and unanswerable. According to goodsecurityquestions.com, a how-to site operated by a Web usability expert, the best ones have four qualities: The answers are simple, memorable, can’t be guessed easily, and don’t change over time. Many questions we’re all familiar with fail to match those specs. There are the ones that are too easy—I’m guaranteed to know my pet’s name, but it’s also elementary for a hacker to score that information. On the other side are the questions you can’t answer or won’t remember how you answered—your first-grade teacher’s last name, your favorite rock band.
Whereas it’s easy to think of lousy questions, it’s pretty much impossible to think of even one great one. Securitywise, though, a question is strong if it’s unique: If every financial institution asked for your pet’s name, phishers could focus all of their energy on sussing out that data. Gaffan says that RSA gives banks 150 questions to choose from, with the understanding that not every question will work for everyone. The problem isn’t a failure of imagination on the part of the question-conjurers. It’s the impossibility of coming up with a question that’s easy to answer but hard to guess. After throwing in the caveat that “there is no one perfect question,” the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn’t have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling’s birthday month? I’m guessing it would take a hacker two tries to get to February.
The fundamental issue here is the disconnect between the certainty of banking culture and the ambiguity of human decision making—a person’s favorite celebrity or favorite band isn’t as knowable or concrete as the amount of her last ATM transaction. Some banks, like Wachovia, understand that their customers might loathe the provided security questions. Their half-assed solution: giving users the option to write the questions themselves, the ultimate admission that shared secrets are less a security scheme than a cost-savings measure. Banks know that users will come up with questions that are easy to remember—”What is 2+2?”—and thus easy for anyone with a grade-school education to guess.
Of course, there are ways to get around these questions. There’s no law that says you have to speak the truth—all you have to do is type in something you’ll remember. Don’t remember your third-grade teacher’s name? Call her “purple.” Or if you’re paranoid about security, you can always just put nonsense in the answer field—nobody will guess that your pet’s name is qqzzhskjafhdlkalkfdha. But why should it be up to us to subvert the banks’ stupidity?
It’s easy to blame all of this—the stupid questions, the stupid answers, the stupid workarounds—on the banks. Financial institutions don’t want to help you; they want you to help yourself. Their primary goal is to get us to fix our own problems without dialing a 1-800 number. On the other hand, we hate customer-service calls just as much as the banks do. The one thing more annoying than trying to remember the name of your third-grade teacher is sitting on hold, repeating your account information for the eighth time, getting disconnected, calling back …
Perhaps the reason that banks use these questions, then, is because we want them. Bruce Schneier, the security guru and CTO of BT Counterpane, sees our impatience as the driving impulse behind the security question movement: “This is security clashing with customer service, because customer service says our customers are calling and saying I forgot my password … our customers are getting pissed off.” With the proliferation of online banking and all manner of e-commerce, we’re accustomed to handling transactions ourselves, without the mediation of a human being. Why should resetting our passwords be any different? No matter how irritating security questions are, we demand a solution that works as we’re sitting at the laptop.
But just because customers value convenience over security doesn’t mean banks should. Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA’s Gaffan told me about a phone-based authentication system used by more than a dozen of the company’s clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you’re at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There’s nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me. What’s my favorite bank? The one that doesn’t ask me stupid frigging questions.