I just went to check my bank account online, and was presented with a list of new upgraded security questions that I had to answer. There were three drop down boxes, each with different sets of questions.
Here’s the list of questions from the first box
[ul][li]In which city did you get married?[/li][li]What is the name of the hospital your oldest child was born in?[/li][li]What is your maternal grandmother’s middle name?[/li][li]In which year did you meet your spouse?[/li][li]What is the first name of your maternal grandfather?[/li][li]Who is your favorite person from history[/li][li]What was your best man/maid of honor’s first name?[/li][li]In what city did you get engaged?[/ul][/li]
Ignoring for a moment that these questions are of pretty dubious value as a security feature, whoever picked the questions was a complete idiot. As an unmarried childless person, five of the questions are immediately not applicable. I don’t know the answers to the two about my grandparents. I know my grandmother’s first name, but my grandfather’s never been in the picture. So I’m left with my favorite historical person. I haven’t got one. Sure, I could think of one, but there’s no guarantee that a year and a half from now, when I forget my password, I’ll remember who the hell I thought of.
So I put “Hitler”, if only in the hopes that I’ll get to have a very uncomfortable telephone banking call with someone in the future.
You forgot the dumb prom* questions! Kids? Don’t have any. Best Man? I eloped. WaMu? Still one of the dumbest banks ever, but I’m too lazy to open a new account elsewhere.
Personally I think choosing your own Q&A would be more secure, not to mention make much more sense.
*hijack: WTF, do people look so fondly on that particular social spectacle that banks and whatnot can use the minutiae of the event for security questions?
IMNSHO, the ultimate security question is the freeform box into which you type the question of your choice and can respond to the answer of your choice.
It doesn’t matter what the question is just so long as the answer you give can be remembered and has absolutely nothing to do with the question.
Too many of these things ask for you mother’s maiden name as if that were some incredably secret thing no one else could find out. I give an answer which is nothing to do with my mother’s actual maiden name, so far doing this has never caused problems, and is a bit more difficult to crack than simply requiring a trip to the General Register Office with knowledge of my name and my approximate age.
Yes this one bugs me.
Im estranged from my first cousin. She “stole” a boyfriend, and several hundred dollars in cash from me. (long long story, not worth the wear and tear on a keyboard) Although I never saw a dime back, in other news she is now convicted of welfare fraud and other fraud. We look similar enough… not identicual but hell, she used to borrow my drivers licence to drink underage! Our mothers are sisters. Mother’s maiden name. check, she knows this. Date place etc of birth, she knows this. Basically she knows enough that she could BE me.
If she ever decided to do the identity theft route, I would have a hard time stopping her. As a result, Ive chosen to give false answers to some of those questions.
In other words, the form supports the entire Unicode 5.1 character set, and if the browser/OS can support the input method, the system can handle the results. The browser that handled the input would presumably be good to handle the output…
I want to input my security question in Shavian or Egyptian hieroglyphics or Arabic or Chinese or Esperanto or music notation!
I think I have just decided to change all the answers to my security questions to some variation on “Fuck security” and use the exact same one everywhere. It saves me a lot of mental exercise, I just take the first one offered every time.
That’s exactly what I thought when I did the questions. If I weren’t so lazy, I’d complain to them about their marital status-ist and reproduction status-ist questions.
I find it moderately amusing that four of the questions listed have answers that are mostly available in the public record, and, in some cases, online. Yeah, that’s some good security there, boy.
Funny how at work, for our passwords we have to have some combination of three of (a) letters, (2) numbers, (THREE) caps, (four) lowercase, and (%) special characters, but this bank thinks that asking me what my grandmother’s middle name was is uber seekrit.
Did they make you select a picture and add a caption to it? All of my financial accounts have switched over to this new “security” feature. If I don’t see my security image when logging in, I will know that I’m not really at their website. That’s nice, except I don’t notice the image at all. I just look for the place to type my password. If I somehow ended up at a phishing site, I would not wonder “Where is that security image?” I’m sure the phishing sites have just harvested a selection of the images and use them on their fake sites now. Anyone dumb enough to get caught by a phisher is not going to be paying attention to the image either.
I actually really like the picture/phrase. It’s simple, doesn’t require me to actively remember any information, and is an effective way for me to be sure I’m at my banks actual site.
Wayback when, I did use a couple of websites that let you pick your own security question and answer. I had a reeeeally good question, the answer to which was a long number associated with an object I had long since sold to a person who couldn’t possibly remember my name. Goooooood security question.
Heck, I live in Québec, where your maiden name is your name for life… getting married doesn’t give you the right to change your name. It really isn’t that hard to find out someone’s parent’s names!