On Wed, 6 Aug 2008, Peter Saint-Andre wrote: | Wells Fargo is requiring their online banking customers to provide | answers to security questions such as these: | | *** | | What is name of the hospital in which your first child was born? | What is your mother's birthday? (MMDD) | What is the first name of your first roommate in college? | What is the name of the first street you lived on as a child? | What year did you start junior high/middle school? (YYYY) | What is your oldest sibling's nickname? | What is your dream occupation? | What is your spouse's nickname? | In what city was your father born? | What is the name of the high school you attended? | What is your best friend's first name? | What is the name of the junior high/middle school you attended? | What is the first name of your maternal grandfather (mother's father)? | What is the name of your favorite childhood superhero? | In what city did you meet your spouse? | In what city did your parents meet? | In what city did you attend high school? | What is name of the hospital in which you were born? | What is the last name of your favorite teacher? | In what city was your maternal grandmother (mother's mother) born? | What was your most memorable gift as a child? | | *** | | It strikes me that the answers to many of these questions might be | public information or subject to social engineering attacks... These kinds of questions used to bother me. Then I realized that *I could lie*. As long as *I* remember that I answer "What is your mother's maiden name" with "xyzzy", the site and I can be happy.
Well ... happier, anyway. The only way to remain sane if you take this approach is to use the same answer at every site that asks these security questions. But that's not good, especially since most of these sites appear to make the *actual value you specified* available to their call centers. This is nice if you can't remember the exact capitalization you used, but it does, of course, leak more information that you'd rather have out there readily accessible. For Web sites these days, I generate random strong passwords and keep them on a keychain on my Mac. Actually, the keychain gets synchronized automatically across all my Mac's using .mac/MobileMe (for all their flaws). When I do this, I enter random values that I don't even record for the security questions. Should something go wrong, I'm going to end up on the phone with a rep anyway, and they will have some other method for authenticating me (or, of course, a clever social-engineering attacker). The only alternative I've seen to this whole approach is sold by RSA (owned by EMC; I have nothing to do with the product, but will note my association with the companies) which authenticates based on real-world data. For example, you might be asked where you got coffee this morning if your credit card shows such a charge. This approach is apparently quite effective if used correctly - though it does feel pretty creepy. (They were watching me buy coffee?) -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]