On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote:
> Wells Fargo is requiring their online banking customers to provide answers to 
> security questions such as these:
> ***
> What is name of the hospital in which your first child was born?
> What was your most memorable gift as a child?
> ***
> It strikes me that the answers to many of these questions might be public 
> information or subject to social engineering attacks...
> Peter

Of course, this problem isn't limited to Wells Fargo:  I think pretty
much all banks do it.

I've given this some thought, and am writing a program called "maiden"
(short for "mother's maiden name") for cryptographically answering
these questions.

The basic idea is that you take either a pass phrase or strong secret,
combine it with the question, compute the SHA hash, and use this to
create a word that looks semi-pronounceable as the answer to the

Right now, I don't answer any of these questions with any guessable
information -- it's all the result of a cryptographic operation on the
question and a hidden secret.


Matt Ball, IEEE P1619.x SISWG Chair
M.V. Ball Technical Consulting, Inc.
Phone: 303-469-2469, Cell: 303-717-2717

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to