Last week, I spoke to one of our service providers on the phone and had to clear security prior to actually having a conversation with the rep at the other end of the line. This wouldn’t usually be a cause for comment, but the conversation left me thinking about why we still use such archaic security theatre to protect our sensitive information.
About 3 years ago, I changed my Mother’s maiden name to a relatively obscure word on every single service that requests it, primarily because I didn’t feel that those services warranted using the same password that I used for banking, but also because it seemed that there was something inherently insecure about using such an easily accessible piece of information as a form of security.
Inevitably, I quite consistently can’t remember the word for each service – a fact that surprised this particular rep, “How do you forget your Mother’s maiden name?”.
Jump a week forward and I’m playing with a popular website* when I stumble upon something scarily simple when abused: a mother’s maiden name search engine.
The service isn’t designed to be used maliciously of course, it is just part of the onboarding process for a successful site which encourages you to enter your name and place of birth to show you your own birth record and research your family history.
The fields that it asks for are basic information you probably know about your friends – you don’t even have to know the exact year. Oh, and you can change the place of birth over and over if you get it wrong.
Click submit and voila:
I’ve removed my details (for what it’s worth) but it consistently comes back with what amounts to a crib sheet for those attempting to pass the two most common security checks – Mother’s maiden name and place of birth.
This isn’t a fault of the website – it’s doing what the internet does best; allowing access to information that was previously hard to find but it does highlight a major fault in the security practises of the world around us.
So why do banks and other companies still use it?
Your mother’s maiden name became one of the most common security questions over 100 years ago and we still use it today for all sorts of systems: from telephone banking to password resets on websites, this anachronistic query is one of only a few hurdles anyone purporting to be you has to clear before they have full access to whatever it is that was supposedly protected.
The question itself is actually a relatively good one when it comes to security questions – it has a stable, unchanging answer, you’re likely to remember it and on the whole everyone already has the answer – they don’t have to make it up. Many legacy systems still have this hardcoded into them and people don’t think to use any other word than the actual answer.
The other, probably more significant, factor in why we still have use it is because users don’t like change. In a perfect world we’d use an app on our phones similar to the ones that exist for internet banking to provide a one time only passcode, but this confuses users and there is a prevalent feeling that the friction that it creates is not worth it.
What should users do to protect themselves?
So, I’ve presented a problem, what’s the solution? Until we progress to more secure forms of authentication across the board it is your (the user) responsibility to secure your own information. Change your answer for your mother’s maiden name to be something entirely different (your first pet’s name for example) that can’t easily be researched from a public database – remember, the answer doesn’t have to be true, it just has to be something you can easily answer.
What should companies be doing to protect their customers?
Obviously, Mother’s maiden name as a security question is OUT. There is simply no justification for its continued use, especially when much better methods of verification exist. At some point it will be considered negligent to use such poor security methods to verify user identity, especially within financial institutions where the body has more than just an ethical responsibility to protect their customers. If moving towards two-factor or alternative secure authentication across all systems is not on your 5 year roadmap, then you are not protecting your customers properly and that needs to change.
We’ve worked with a number of companies to implement multi-factor authentication across their customer (and employee) systems and have seen fraudulent attempts decimated as it becomes nigh on impossible to guess or research parts of the authentication process. If you’re interested in finding out more, contact us.
*I’ve decided to leave the website link out in the interest of discouraging abuse of the tool.