[PLUG-TALK] Website "security" questions

Mon Jul 28 22:02:10 UTC 2008

The reason they do the security questions is that there have been tests and
it has been shown to improve security and there are papers about it.

But more importantly, the lesson of the next generation, which my daughter
taught me is that just because they ask you a question does not mean that
you have to give them the official story. You can be anything you want on
the internet. And since they do not check the answer against any database,
it is simply a Key/value pair.

If they ask A, I respond B

If they ask "Where were you born?" I respond B

So you are getting excited about nothing, since you don't need to give them
any meaningful data, only data that is rememberable by you.

On Mon, Jul 28, 2008 at 2:39 PM, Keith Lofstrom <keithl at kl-ic.com> wrote:

> So far, two of my financial institutions have decided to add another
> roadblock to access, "security questions".  These are questions that
> they claim are "easy for you to answer, hard for others to guess".
> Feh!  Almost all of them have answers in databases, if not on the web.
>  For example, "where did you go to high school" is something that most
> competent Google users can find out about me.  If the software lets
> me, I typically answer with an irrelevant and easily remembered pass
> phrase (for all the questions).  However, some sites don't allow
> that, either.   I am not allowed to choose my own questions.  If
> permitted, I would definitely avoid all personal-history questions.
> So why do the banks insist on using such questions?
>
> Paranoid answer:
>
> One of the OSCON people I led to a tour at Free Geek used to work for
> an Arkansas company called Acxiom.  They collect data from all the
> credit card vendors, databases, etc. to construct demograpically
> driven lists for junk mailers.  One of their clients is the federal
> government, who are building large dossiers on everyone from sources
> like this.  I have no doubt that the feds can guess the answers to
> almost all those questions.  Which means that, if they can crack
> your password, they can monitor your financial information at the
> bank without being detected, and without warrants.  This would be
> much harder if you were allowed to pick your own questions.
>
> It is also interesting that the banks don't provide users with an
> access history.  So if someone else got into your account, you
> could not tell unless they changed something.
>
> Probable answer:
>
> Probably the answer to the "why do banks offer stupid security" is
> because the managers making the choices for the banks are "security
> stupid" and easily influenced by fashion and vendors.  No need to
> invent a conspiracy unless I see evidence that these anonymous
> hypothetical managers are intelligent.  If anyone has evidence of
> how these decisions actually get made, I would be interested.
>
> BTW, Bank of America uses a customer-chosen picture and a name;
> this seems like a much better way to go, and it also hinders
> man-in-the-middle attacks.  Not all managers are idiots.  Still,
> I would like them to provide a login history.
>
> Keith
>
> --
> Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
> KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
> Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
> _______________________________________________
> PLUG-talk mailing list
> PLUG-talk at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug-talk
>
>

-- 
John Sechrest .
Corvallis Benton .
Chamber Coalition .
420 NW 2nd .
(541) 757-1507 . sechrest at corvallisedp.com
.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pdxlinux.org/pipermail/plug-talk/attachments/20080728/23cc4e71/attachment.html>