Community

Join the Community

21,845
Expert opinions
44,016
Total members
427
New members (last 30 days)
206
New opinions (last 30 days)
28,638
Total comments
Join Sign in

Personal Knowledge or Qualifying Questions as Authenticators

  0 2 comments
Robert Siciliano
Robert Siciliano
Security Analyst
Safr.me
Location
Boston
Followers
8
Opinions
844
Unfollow

How many times have you forgotten a password? Fortunately the website you were on only needed your username or an email address and they would respond with a few questions for you to answer. Once you responded with what was in the system you then re-set your password and you’re in.  Easy peazy.

What’s your favorite food? Where did you honeymoon? Your first pets name? Name of your first car? The name of your elementary school?  Your fathers middle name? All these questions are meant to replace that used-to-be-secret-obscure word that only you and your parents would know the answer too – your mothers maiden name.

Then came Ancestry.com, Geneology.com, Google and for crying out loud Facebook. Now much of this information is available by doing a quick search online via public records or it’s easy to guess if the “hacker” is an acquaintance.

I’m a member of an organization in which I have been granted access to a bank account we have. But I haven’t accessed the account in months.  Since the last time I logged in the bank instituted a qualifying question as another layer of protection. Instead of calling the other person who was also managing the account I simply guessed the answer. “Where did you go to high school?” I didn’t know where this person went to high school but I knew where his mother lived. I entered the name of the town and BOOM, I was in.

It shouldn’t be that easy.

 

 

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

3395
 

Share

 
 
 
 
 

Channels

/security /regulation & compliance

Comments: (3)

John Dring

John Dring Digital Services and mCommerce at Intel Network Services

Agreed. I just made a comment on the PIN problem Blog along similar lines - if making a record of your PIN/Password is a no-no, then what constitutes an acceptable reminder?  How would you even note a reminder for yourself for a password of "Qhos02!" for example.  Begins with Q ?  Or maybe "Quit whining about passwords TO remember!"

And what's with the call centres that attempt to authenticate you by asking your DOB and full address, and then proceed to administer your account for you on the phone?  I could be anyone.  Especially since so many sites ask you to register the same 'bank like' auth questions these days (just to look like they care about your security)?  They could be spread around and sold like CC number lists.  I still think a text alert or email everytime your account profile is updated is a must.

Robert Siciliano

Robert Siciliano Security Analyst at Safr.me

Author

Great feedback John, Thank you.

A Finextra member 

I removed my DOB from my facebook account a while ago as a precaution against this sort of thing. Some information just shouldn't be *that* freely available!

Robert Siciliano
Robert Siciliano
Security Analyst
Safr.me
Member since
04 Feb 2009
Location
Boston
Followers
8
Following
0
Opinions
844
Unfollow

Your Social Security number IS in the Hands of Criminals

Most Security Awareness Training is Insufficient and Should Lead to Consequences

AI Spoofed Sites Lead to $50 Million Investment Scams

How and Why “Fun” AI Generated Spam On Social Media Will Manipulate the 2024 Election

Artificial Intelligence and Organized Crime Sitting In a Tree…

See all Opinions from Robert

More expert opinions

Nicky Goulimis

Nicky Goulimis Co-founder at Tunic Pay

It's a good time to be alive... if you're a faster payments fraudster

Matt Riggall

Matt Riggall Head of Commercial Lending Vertical, Cap. Markets at FIS

Generative AI agents and the future of work in commercial banking

Anthony Pickup

Anthony Pickup Consultant at Capgemini Invent

Vehicle usage taxation needs a new model in the 21st Century

Konstantin Rabin

Konstantin Rabin Head of Marketing at Kontomatik

Young Investors Turn to Crypto as Alternative to Traditional Stocks

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,845
Expert opinions
44,016
Total members
427
New members (last 30 days)
206
New opinions (last 30 days)
28,638
Total comments
Join Sign in

Trending

Shawn Conahan

Shawn Conahan Chief Revenue Officer at Wildfire Systems, Inc.

How To Win and Retain Customers In The Loyalty Era

Konstantin Rabin

Konstantin Rabin Head of Marketing at Kontomatik

The Critical Role of Data and Statistics in Shaping Fintech Apps’ Success

Alexander Boehm

Alexander Boehm Chief Executive Officer at PayRate42

What Are Non-KYC Exchanges?

Roman Eloshvili

Roman Eloshvili Founder and CEO at XData Group

Starting a Fintech Startup: 5 Key Tips Founders Should Prioritise

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept