Reader Voices: Insecure Questions

Are financial institutions only covering their own behinds by forcing their customers to jump through additional layers of security checks? That was the general consensus answer to a recent story where a reader questioned the value of multiple security questions.

“This is so appropriate,” wrote one reader in response. “My two banks recently instituted the security questions as part of their online security. I don’t do a lot of online banking, so I go in with one and was asked the question ‘What’s your favorite candy?’ There are only two candies that I eat, peanut M&M’s, and Reese’s. But try as I might, I could not get the answer right, and there was no facility to switch questions. I had to go into the bank physically, where they called someone, put me on the phone with them so that they could verify I was who I said I was, and then reset my account. When I logged in, I had to change my password and enter answers to six different security questions. Now I have six security questions all with the same answer. The second bank allows you to enter your own question. I tried to come up with specific enough questions that not only I’ll be able to answer, but my wife will know the answers to also. So, if the security gets so complicated that the rightful users have to write down their log in information, or make the questions simple enough to remember, have we really increased security?”

“I agree with your reader,” wrote another reader. “Financial institutions are using low-cost means of information gathering to supposedly address their security issues, without properly addressing their customers’ security concerns. I use a Key Bank service to make periodic payments. When I wanted to use their online service to verify my payments had gone through, they wanted answers to seven of these so called security questions in the event I lost my password. I declined the use of their online payment verification service because of this.”

Many readers argued that additional security questions simply create additional points of failure for the system as a whole. “Authentication is generally comprised of the following factors: something you know (passwords, mother’s maiden name, etc.), something you are (biometrics like fingerprints or retina scans), or something you have (token devices and their like),” wrote one reader. “To be considered ‘more secure’ one must do multi-factor authentication; i.e. have a response from more than one factor. Multiple responses within a single factor do not appreciably add to security. As such, asking for the last four digits of your SSN, your mother’s maiden name, or any other questions do little more than expand the company’s personal profile database. They do not add security.”

Several readers advocated password memorizer programs such as RoboForm, PWsafe, and Password Manager XP, but one reader had a solution that might not require new software. “With every website I visit that requires my registration I copy the userID, password challenge questions, etc. from the text boxes on the form into an Excel spreadsheet. I password-protect the workbook and only have to remember a single password. When I have to log into one of these sites, I open the workbook, do a ctrl-F and enter the name of the site into the text box, and the spreadsheet goes to the row/column where the info for that site is kept. Furthermore, I use copy/paste from the worksheet to enter the required data into the form. I never type my credentials into a login form. If somehow there ever is a keystroke recorder trojan on my computer, then hopefuly they will only get ctrl-C and ctrl-V back.”

It doesn’t seem like anyone feels more secure because of all these security questions. “On one site, they wanted the name of my first pet but their program wouldn’t accept my answer because the name of my first pet didn’t have seven letters or more,” wrote one more reader. “I complained about this nonsense to their rep when I contacted them on the phone — not being able to log on to their web site — and she gave me a hint. No matter what the question is — pet name, color of first car, favorite teachers name, etc. — you can probably answer them all with the same response. So that’s what I did. The pet, car color, and teacher questions all now have the same answer — an eight-letter word for male cow droppings — and it seems to work fine. False security, anyone?”

If you’re feeling insecure over an e-commerce issue, write me at Foster@gripe2ed.com or post your comments on my website.

Read and post comments about this story here.