Josh Levin has an article in Slate on the surge in bizarre security questions companies now ask for when you create accounts online. It turns out they don't enhance security, but they cut down on customer support calls, which both we and the companies hate. Some excerpts:
Verizon wants to know my favorite ice cream flavor, Google's got designs on my library card number, and Wachovia needs my favorite all-time entertainer. Yahoo! is asking where I met my spouse, and Bank of America wants the details of the honeymoon. Like those squiggly pictures of letters and numbers, weird personal questions have become ubiquitous totems of online security. If you tell the bank your favorite grade-school teacher or cartoon character, the thinking goes, it'll be easy to confirm your identify when you misplace your account number. This thinking is dumb. [...]
Security questions are often impossible to answer, frequently creepy (does the power company really need to know where you met your spouse?), and rarely secure—Paris Hilton's T-Mobile account was breached by hackers who guessed the answer to her secret question, "What is your favorite pet's name?" If these questions are galling to answer and don't enhance anyone's security, why are they suddenly omnipresent?
[...] just because customers value convenience over security doesn't mean banks should. Instead of coming up with ever-more-ornate questions about teachers and toys, banks and security companies should push solutions that are safe and customer-friendly. While everyone hates calling customer service, confirming your identity on the phone (an out-of-band device) is way more secure than using an online form. RSA's Gaffan told me about a phone-based authentication system used by more than a dozen of the company's clients. At sign-up time, you enter your work, home, and cell numbers. If you lose your password, simply indicate whether you're at home, at work, or on your cell. To authenticate yourself, just answer your phone and type in a number that appears on your computer screen. There's nobody asking about your honeymoon and no stuffed animal names to remember. Sounds perfect to me.
Recent Comments