Wednesday, July 24, 2013

My mother's maiden name was Phil

I'm one of those people whose last name is the same as his mother's 'maiden' name. I'm also one of those people who, because of this, decides against using his mother's maiden name as a 'security' question. Especially when something as important as my bank account is involved.

Unfortunately, Scotiabank is one of those companies that thinks that, in today's world of everybody splattering their biographies across the internet, one's mother's maiden name is a secret that can only be transmitted through the vault door at Fort Knox with an umbilical cord.

Some time ago, I changed what I had listed at my bank for "mother's maiden name" to something else. Damned if I know what I put. So every time I call up the bank, I have to explain this so they can skip over to another set of somewhat obtrusive questions (including "employer", of which I have multiple). Invariably, they don't care because as far as they're concerned, they have to ask me a question and I have to answer it, and they needn't concern themselves with the degree of difficulty of this question or the degree of security afforded by this.

But today, I was trying to buy something online when I was presented with a "Verified by Visa" confirmation screen—ostensibly for my bank—which required me to enter my "mother's maiden name". I tried a couple things but it didn't work. There was no 'back' button so I could pay instead with PayPal, so I had to close the window. When I called up the company to see if the purchase went through, they informed me that the response from VbV wasn't even necessary unless I had set it up with my bank.

Naturally, I went to my bank website to see if I could find out whether I'd set up Verified by Visa. I didn't realize that I was on my 'new' Windows 8 laptop (which I've since relegated to secondary status under the old, reliable Windows XP beast which it had been intended to replace), and I mustn't have logged into my bank account from that computer before, because it asked me for another security question.

Damned if I knew that one, either. Let's look at the list of security questions available (from which one must pick three, and subsequently all three of which must be answered correctly if one is logging in for the first time on a new computer, or on a public computer). Remember, a good security question is one that is easy for you to understand and difficult for an identity thief to figure out. Most of these fail:









Where did you go on your honeymoon?
What was the name of your elementary school?
What was the name of the street on which you grew up?
Obviously, some of those might be obscure questions for some people, but the ones that aren't mindnumbingly obvious are, by definition, difficult for the user to remember also (the obvious ones would be like the BFF one talks to and about all the time on social media or the high school graduation year in one's Facebook timeline or LinkedIn profile). For example, I have two grandmothers (as I'm sure most do), both of whom are still alive. If I used that question, when I go to answer it, would I remember which grandmother I chose? And would I have chosen the town she grew up in, the town she lived in when I was a child, or the town she lives in now? Will I spell it right?

My paternal grandfather's first name isn't so easy either. He went by an English name, a French name, and a a nickname, and the French one had an accent. When I try to remember what I put in there, do I remember the name I called him, or since banking is formal business, did I use his formal first name?

My cousins span two generations. Did I pick the oldest of all my cousins or of my more familiar younger group of cousins? Did I put only their first name or full name?

And as for elementary school and growing-up street, I went to at least three different elementary schools; I'm sure many people grew up living on many different streets. Or maybe someone's parents still live on that street where there's only one school nearby. Either way, it's either hard for me to remember or easy for a hacker to figure out.

The rest of the questions are even more wishy-washy:
What is the name of your first employer?What was the first name of your first manager?

What is the last name of your favorite teacher in elementary school?
What is the name of your first pet?
What is your favorite hobby?

What was the name of your first girlfriend/boyfriend?
I once applied for a summer job with the Ottawa Police when I was in university. I was told to list every.single.employer on the job application, and not wanting to lie to the Police, I did. My first one was a paper route. Actually, it was a flyer route. My first 'manager' was a lady who met me once at her suburban house to tell me how to do the job and whom I never saw or heard from again. The HR person at the police service told me that I was a stellar candidate but my references didn't check out because this lady whose name I had to dig through innumerable boxes of files to find didn't remember working with me. (That taught me the dual lesson of the importance of lying to the police and lying on job applications. Come to think of it, I don't think I've ever gotten a job I applied for, except for a really rotten one...)

So when it's months after I set these security questions and I'm trying to remember the answer, did I put my first.job.ever or my first 'real' job? These are the types of questions I don't have to contemplate when updating my LinkedIn profile because I don't goddamn have one.

'Favourite movie' is one of the questions I remember Blogger asking me nine years ago when I set up my account, in order to put in my public profile (go figure, it's still there). I remember this because it got me thinking, "what a stupid fucking question is that?"

Please tell me I'm not alone, and that most people don't have a single favourite movie, book, hobby, etc. that hasn't changed in decades. If you have one dominant hobby, like knitting, it'd be easy for you to remember, but chances are you talk about it a lot and maybe you have a blog about knitting, so it would be dead easy for an identity thief to figure out also, so you wouldn't really want to use it as a security question. Or maybe, a year from now, you forgot that you set up your security question when you were in your quilting phase and can't figure out why "knitting" doesn't work when you try to type it in.

Oh, by the way, Scotiabank the Canadian banking company: in Canada, it's spelled "favourite".

In fact, the only one question of that batch I can think of that is fairly definitive and that's "What did you want to be when you grew up?" It's definitive because I became that. But damned if I can remember a year from now if I typed "curmudgeonly old man" or "grumpy curmudgeon" or simply "get off my lawn".

In fact, I think I asked them to put something akin to "get off my lawn" as the answer to "mother's maiden name" and thought it was pretty clever except that I've forgotten which kin I aput it to.


***

Another flaw of these security questions is how they're presented. If you primarily use one computer to access your online banking, and that computer is your personal one, and you don't have your browser configured to kill all cookies on exit, then you can set it to remember you so you don't have to answer the security questions each time. The problem is, when it does come time to answer these questions (say, because you had to reinstall your browser, or you got a new computer, or you're checking in from a wireless café), you don't remember which of the decisions you made in how you answered these questions because you haven't had to answer them in so long because it was disabled on the primary computer from which you access it.

This is a feature, not a bug, according to the call centre agent who reset my login tonight. She suggested that setting it to not ask me the questions again on this one computer would mean that I wouldn't encounter the questions again, and the implication was that I wouldn't have to worry about remembering the answers to the 'secret questions' at a. I guess the script Scotiabank gave her was written by someone who doesn't understand the philosophy of cloud computing (or Internet banking, for that matter) where you can access stuff from different computers.

***

I don't think the bank really cares about security, it just wants to have a cloak of plausible deniability in the event of fraud. I mean, who's to blame if my account gets compromised? If I went to my home branch (which evidently isn't the one I thought it was, though the phone rep wouldn't tell me which one it was) and asked them to change my "mother's maiden name" to my mother's actual maiden name—even though it's not the least bit of a security question for me—would they blame me for using security questions that are too easy if my account got compromised? Or maybe I would be protected so long as I've checked all the boxes. Not that I care. Even if the bank is responsible and reimbursed me for wrongful expenses, I would be the one who'd have to suffer the fallout from having his identity stolen, credit likely damaged, and the paranoia (or worse, the reality) that the thief might have used it to infiltrate other areas of my life.

***

I did have a security scare once. Long story short, it got me worried that my Google/Gmail account had been compromised. I discovered that Google has a feature whereby you can get it to send a six-digit number to your cellphone via text message whenever you log in, and you must enter this number into the login page before it lets you in. It can also send you the number via a phone call. As backups, it has alternate phone numbers and you can get a set of single-use codes in the event you don't have access to your cell phone. You can tell it not to do this on 'trusted' computers (you'll still need your password to log in).

Not only is this a very secure method of protecting your log in, but it also is a built-in way of telling if someone else is trying to log in to your account (it will certainly tell you they've got your password!). Not only is it secure, but it also doesn't require me to answer a bunch of silly questions.

Twitter recently enabled a similar feature, though it doesn't have the voice call or backup codes options, and naturally the first time I tried logging in to Twitter from another computer I was behind an impenetrable wall of steel and concrete, thereby missing the text message.

Why can't the bank do this?

Whenever I'm conducting a transaction at an unfamiliar retail store with my credit or debit card, I'm always worried about the security of my card. Is this a real card reader charging me 9.95 for the large pho or is it a dummy reader that's set up to record my card number and PIN? Sometimes I deliberately enter the wrong PIN the first time to make sure it rejects the bad code.

I am horrified by the 'paypass' credit cards where you just have to tap it and it takes up to $30 out of your account without having to so much as press a button, much less enter a code.

It would be much more reassuring if, each time my credit card was authenticated, I got a text message with the amount and store name.

In the meantime, I'll have to put up with the bank's ridiculous security theatre. I think I'll tell them my mother's name was Phil.

- RG>

3 comments:

Grant said...

"It would be much more reassuring if, each time my credit card was authenticated, I got a text message with the amount and store name."

That's a really good idea.

Are there any questions that you would consider to be good security questions? Or is the whole system flawed in your opinion?

RealGrouchy said...

I think "what is your password", "what is your card number" and "what are the last 3 digits on the back of your card" are pretty good security questions.

For situations where that is insufficient, "How about we send a confirmation link to your email address or phone?" is a good backup question.

Kinda silly that Twitter has more security procedures available than my bank.

- RG>

Grant said...

A relevant essay by one of my favourite writers on the design of products and systems:
http://www.jnd.org/dn.mss/when_security_gets_i.html

By the way, the captcha I have to pass to post a comment here is another excellent example of security getting in the way. :)