Re: security questions

2008-08-10 Thread John Levine
IIRC, it used personal data already available to DEC -- so they didn't have to ask their employees for it That works great so long as the personal data is accurate. Banks these days are supposed to verify your identity when you open an account. Online banks pull your credit report anyway, so

Re: security questions

2008-08-08 Thread John Ioannidis
[EMAIL PROTECTED] wrote: John Ioannidis wrote: | Does anyone know how this security questions disease started, and why | it is spreading the way it is? If your company does this, can you find | the people responsible and ask them what they were thinking? The answer is Help Desk Call

Re: security questions

2008-08-08 Thread Leichter, Jerry
security questions based on the anticipated entropy | of the responses. This is why, for example, no good security | question has a yes/no answer (i.e., 1-bit). Aren't security | questions just an automation of what happens once you get a customer | service representative on the phone? In some

RE: security questions

2008-08-07 Thread Scott Guthery
Another useful piece of research on the topic: V. Griffith and M. Jakobsson. Messin' with Texas, Deriving Mother's Maiden Names Using Public Records. ACNS '05, 2005 and CryptoBytes Winter '07 http://www.informatics.indiana.edu/markus/papers.asp Cheers, Scott

Re: security questions

2008-08-07 Thread Stefan Kelm
Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: Does Wells Fargo really use the term security question here? Just wondering, Stefan. Symposium Wirtschaftsspionage

Re: security questions

2008-08-07 Thread John Ioannidis
Does anyone know how this security questions disease started, and why it is spreading the way it is? If your company does this, can you find the people responsible and ask them what they were thinking? My theory is that no actual security people have ever been involved, and that it's just

Re: security questions

2008-08-07 Thread Peter Saint-Andre
Stefan Kelm wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: Does Wells Fargo really use the term security question here? Yes it does. I'm a Wells Fargo customer and I had to set my security questions yesterday in order

Re: security questions

2008-08-07 Thread Leichter, Jerry
On Thu, 7 Aug 2008, John Ioannidis wrote: | Does anyone know how this security questions disease started, and | why it is spreading the way it is? If your company does this, can you | find the people responsible and ask them what they were thinking? | | My theory is that no actual security

RE: security questions

2008-08-07 Thread piers . bowness
John Ioannidis wrote: | Does anyone know how this security questions disease started, and why | it is spreading the way it is? If your company does this, can you find | the people responsible and ask them what they were thinking? The answer is Help Desk Call Avoidance; allow the end-user

security questions

2008-08-06 Thread Peter Saint-Andre
Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** What is name of the hospital in which your first child was born? What is your mother's birthday? (MMDD) What is the first name of your first roommate in college? What is the name

Re: security questions

2008-08-06 Thread Leichter, Jerry
On Wed, 6 Aug 2008, Peter Saint-Andre wrote: | Wells Fargo is requiring their online banking customers to provide | answers to security questions such as these: | | *** | | What is name of the hospital in which your first child was born? | What is your mother's birthday? (MMDD) | What

Re: security questions

2008-08-06 Thread Chris Kuethe
On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre [EMAIL PROTECTED] wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** ... *** It strikes me that the answers to many of these questions might be public information

Re: security questions

2008-08-06 Thread Peter Saint-Andre
Chris Kuethe wrote: On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre [EMAIL PROTECTED] wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** ... *** It strikes me that the answers to many of these questions might be public

Re: security questions

2008-08-06 Thread Matt Ball
On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** What is name of the hospital in which your first child was born? ... What was your most memorable gift as a child

Re: security questions

2008-08-06 Thread David Molnar
Peter Saint-Andre wrote: [list of security questions snipped] *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... You might enjoy reading Ari Rabkin's recent paper at SOUPS 2008 on this issue: Personal

Re: security questions

2008-08-06 Thread Apu Kapadia
enter random values that I don't even record for the security questions. Should something go wrong, I'm going to end up on the phone with a rep anyway, and they will have some other method for authenticating me (or, of course, a clever social-engineering attacker). An except from my recent blog

Re: Foibles of user security questions

2008-01-14 Thread ' =JeffH '
of possible relevance... Mike Just. Designing and Evaluating Challenge-Question Systems. IEEE SECURITY PRIVACY, 1540-7993/04, SEPTEMBER/OCTOBER 2004. =JeffH - The Cryptography Mailing List Unsubscribe by sending

RE: Foibles of user security questions

2008-01-14 Thread Dave Korn
On 07 January 2008 17:14, Leichter, Jerry wrote: Reported on Computerworld recently: To improve security, a system was modified to ask one of a set of fixed-form questions after the password was entered. Users had to provide the answers up front to enroll. One question: Mother's maiden

Re: Foibles of user security questions

2008-01-14 Thread Peter Gutmann
Florian Weimer [EMAIL PROTECTED] writes: * Jerry Leichter: I can just see the day when someone's fingerprint is rejected as insufficiently complex. It's been claimed that once you reach the retirement age, one person in ten hasn't got any fingerprints which can be used for biometric purposes.