On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote: > > Wells Fargo is requiring their online banking customers to provide answers to > security questions such as these: > > *** > > What is name of the hospital in which your first child was born? ... > What was your most memorable gift as a child? > > *** > > It strikes me that the answers to many of these questions might be public > information or subject to social engineering attacks... > > Peter
Of course, this problem isn't limited to Wells Fargo: I think pretty much all banks do it. I've given this some thought, and am writing a program called "maiden" (short for "mother's maiden name") for cryptographically answering these questions. The basic idea is that you take either a pass phrase or strong secret, combine it with the question, compute the SHA hash, and use this to create a word that looks semi-pronounceable as the answer to the question. Right now, I don't answer any of these questions with any guessable information -- it's all the result of a cryptographic operation on the question and a hidden secret. Cheers, -Matt -- Thanks! Matt Ball, IEEE P1619.x SISWG Chair M.V. Ball Technical Consulting, Inc. Phone: 303-469-2469, Cell: 303-717-2717 http://www.mvballtech.com http://www.linkedin.com/in/matthewvball --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]