I recently noticed that websites are now using security questions that include pieces of information that were never provided to them; e.g. which car did you own in 2012? The questions are followed by a multiple choice of answers, one of which correct.
I assume they are using publicly available information to do this. Either that, or they are showcasing that they already have information about you that they somehow acquired; I assume in a legal manner that they are legally allowed to use. Has there been a recent change in privacy law that now allows them to do this?
I also question the logic of these types of security questions, as this information presumably would also be available to a person trying to hack another account.
Do you see them on websites that you wouldn’t have access to your social security number? I always assumed they were pulling information from your credit report. I’m not sure what other public database would have reliably information about where you lived or a car you owned (or presumably had a loan/lease on) 20 years ago.
I feel like I normally see them on financial type websites.
Sure if you’re trying to hack a particular person and have done extensive research, you might be able to answer those security questions correctly. But how often is that the case?
I’ve noticed the same thing, especially regarding medical records websites. I loathe both the website I seem to be stuck with and the procedure with the security question. Maybe if you’re old enough, those might be ok questions, but I have my doubts. I have noticed that they don’t ask for my mother’s maiden name any longer though.
It’s pulled from Experian (maybe the other credit agencies as well)
I used to have to ask these questions as a ‘enhanced security measure’ Holy fuck, these could open up a can of worms, since they’d often trigger memories in people. ‘Which of these cars might you have owned?’ Oh yeah, the one in which your son was killed in a car crash 6 years ago!
It is called Knowledge-Based Authentication (KBA) or “out-of-wallet” questions. It is a risk mitigation/identity verification tool. Depending upon the underlying provider the data may come from credit bureau data, public records data, or both. TransUnion, Equifax, Lexis Nexis are some of the providers offering KBA solutions in the market.
I’m surprised you are just now encountering these as they’ve been used for 10-15 years now. KBA questions were already pretty ineffective even before large-scale data breaches (such as Equifax) and the market has moved on to more effective solutions. Now a fraudster can simply buy your stolen Equifax (and other) data on the web and beat most of the KBA questions easily.