[PLUG-TALK] Website "security" questions

[Keith Lofstrom]

So far, two of my financial institutions have decided to add another
roadblock to access, "security questions".  These are questions that
they claim are "easy for you to answer, hard for others to guess".
Feh!  Almost all of them have answers in databases, if not on the web.
 For example, "where did you go to high school" is something that most
competent Google users can find out about me.  If the software lets
me, I typically answer with an irrelevant and easily remembered pass
phrase (for all the questions).  However, some sites don't allow
that, either.   I am not allowed to choose my own questions.  If
permitted, I would definitely avoid all personal-history questions.  
So why do the banks insist on using such questions?

Paranoid answer:

One of the OSCON people I led to a tour at Free Geek used to work for
an Arkansas company called Acxiom.  They collect data from all the
credit card vendors, databases, etc. to construct demograpically
driven lists for junk mailers.  One of their clients is the federal
government, who are building large dossiers on everyone from sources
like this.  I have no doubt that the feds can guess the answers to
almost all those questions.  Which means that, if they can crack
your password, they can monitor your financial information at the
bank without being detected, and without warrants.  This would be
much harder if you were allowed to pick your own questions.

It is also interesting that the banks don't provide users with an
access history.  So if someone else got into your account, you
could not tell unless they changed something.

Probable answer:

Probably the answer to the "why do banks offer stupid security" is
because the managers making the choices for the banks are "security
stupid" and easily influenced by fashion and vendors.  No need to
invent a conspiracy unless I see evidence that these anonymous
hypothetical managers are intelligent.  If anyone has evidence of
how these decisions actually get made, I would be interested.

BTW, Bank of America uses a customer-chosen picture and a name; 
this seems like a much better way to go, and it also hinders
man-in-the-middle attacks.  Not all managers are idiots.  Still,
I would like them to provide a login history.
 
Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs