Banking System Fails Due To Security Question
If you’ve been paying attention to computer news you may have heard that the US Federal Reserve Bank was hacked. Details on over 400 bankers was stolen although the Fed won’t say what the “Details” are.
You may have also heard about the Bush family being one of the many hacked due to a flaw in Yahoo’s Email service. One flaw they have in common is an outdated method to reset your password.
This week I discovered one reason banks have failed to provide accurate security all the way up to the top. It took me 3 minutes to find that Fed Chairman Ben Bernanke’s mother’s maiden name was “Friedman”.
I recently realized the company providing services to my small town bank is still living in the 70’s and probably still stores my information on magnetic tape reels programmed in COBOL According to its website Fidelity National Information Services or FIS is the world’s largest global provider dedicated to banking and payment technologies.
I’m a big fan of security questions but not when multiple sites use the same questions. It’s especially scary when I see what must be the first security question ever used. Mothers Maiden Names?
Even if you can’t remember multiple passwords what I recommend is creating standard replies for common security questions. Since most answers to security questions can be found on Facebook your answers to security questions should never be truthful.
What’s your favorite book? Your answer should not be The Bible, The Hobbit or 50 Shades of Grey. It won’t be hard to remember, “Jokes for the John” or “Green Eggs and Ham”. Just associate your answer with a common theme.
Where did you go to High School? NEVER give your real school. The kids on Happy Days went to Jefferson High. Use your own imagination and make up a high school name you’ll remember.
Where were you born? How about Taxicab or Seattle Grace?
The name of your first pet? How about Dino? Even if your dog had a different name, don’t use Snoopy or Lassie as fake answers. They’re like using 12345 as a password.
Now that I’ve used these examples I wouldn’t use any of them but you’ll find it’s easy and fun to come up with fake answers. Create fun fake answers that are so funny, you’ll be sure to remember them. And if they ask you for your mothers maiden name, go complain to your bank manager like I plan on do.
While I can’t say the recent Federal Reserve attack was due to a common security question the screen shot from my bank is real. The number of hacks that begin with a simple security question is undeniable. As a security professional I’m embarrassed it took this long for me to write about this problem. Just ask Sarah Palin what high school she went to and you’ll be reminded this problem has been around for many years.
Update March 23, 2013: I neglected to mention one other important related tip. When asked for your birthdate always use another date you'll remember. Recently, it was revealed that anyone could obtain the password for an Apple account, like iTunes, by knowing a users Email & Birthdate. The Verge, March 22, 2013