What does your father's middle name, first car, and high school mascot all have in common?
My bank recently upgraded it's architecture and web site, adding more features and "improved security." After logging in, I am directed to a page greeting me asking to update my account information and "security challenge questions." The drop-down menu of questions available (had to choose 5):
- How many brothers and sisters did your mother have?
- What is your father's middle name?
- What is your grandmother's maiden name on your father's side?
- What is your grandmother's maiden name on your mother's side?
- What is your mother's middle name?
- What month was your youngest sibling born?
- What was the make/model of the car you used to learn to drive?
- What was the model of your first car?
- What was the name of the teacher who had the most influence on your life?
- What was the name of your first best friend?
- What was the name of your high school football team?
- What was your first pet's name?
- What was your high school mascot?
Wow, what a list! Surely all my friends know what car I drive and what our high school mascot is. A little research will tell them my father's middle name and asking around can come up with answers to several more questions. So how do you deal with such supposed "security," where it's required? Surely, I can't count on these questions protecting me... so here's a tip: Pick a question you will remember using, and choose an answer that has nothing to do with that question, but only you will know. For example,
- What is your father's middle name? A.) Dogbert
- What was the model of your first car? A.) Chess
- What month was your youngest sibling born? A.) 2112
The nicest part of the upgrade was the enhanced security:
- Last login: Month DD, YYY HH:MM:SS AM/PM
- 15 minute session timeout
- Mask account numbers
I really like seeing the last time I was logged in on any system that I use, be it online banking or my web and database servers. It's like network security monitoring, or IDS... Unusual periods of activity should raise a red flag, and you should react accordingly to it.
blog comments powered by Disqus