Last week I called my financial institution to wire transfer some money and they asked me to verify my identity with a secret question: what is your place of birth? I responded with Williams Lake, followed by my classic joke; well, not actually in the lake, that's just the name of a town in British Columbia.
She didn't laugh, but she proceeded to let me know that they have since upped their security measures. It seems they have learned that people can easily find out where their clients are born on the Internet. Go figure. She needed to have me create a new secret question so she asked: what is your favorite color?
I thought it was a joke, but it wasn't. And the sad thing is that it reminds me of every single Internet password picking experience I have these days. First, it goes, pick a password - make it something that no one could ever guess and something that you are not familiar with. It should involve a number or a letter or sometimes a special character (ugh). You are reminded that no one should be able to guess your password. Sounds secure enough, I think, but that's until I read the next part: in case you forget your password, you should now pick a question with an answer that you know you can remember, like your pet's name or the place you were born (I wasn't actually born in a lake).
I've never understood that one, and it is perpetuated on every site with no logic to me (someone please explain). But not my financial institution. They just pick one question - something that no one could ever find out on the Internet.
I'm no security expert, but I don't see why this is a problem. Obviously, if they let you in just based on your "security question" answer, then the security is bad because I'm likely to have named my first pet something an attacker might have in a dictionary (or a personal acquaintance could know it or look it up on the Internet, or whatever). But if they just email you a login link, what's the harm in that? Unless your attacker has access to the chain between their mail server and yours, how do they get access to the mailed new password or login link?
Posted by: dnl2ba | September 21, 2006 at 10:35 PM
Thanks for mentioning. I think I've known that the original intention was only to send email, but I bet many sites down the line have lost sight of that and just do it for password recovery. I still find my experience with my bank shocking because they are using it for identity purposes.
Posted by: Dorrian | September 22, 2006 at 07:22 AM