Community

Join the Community

22,088
Expert opinions
44,070
Total members
384
New members (last 30 days)
175
New opinions (last 30 days)
28,703
Total comments
Join Sign in

Personal Knowledge or Qualifying Questions as Authenticators

  0 2 comments
Robert Siciliano
Robert Siciliano
Security Analyst
Safr.me
Location
Boston
Followers
8
Opinions
845
Unfollow

How many times have you forgotten a password? Fortunately the website you were on only needed your username or an email address and they would respond with a few questions for you to answer. Once you responded with what was in the system you then re-set your password and you’re in.  Easy peazy.

What’s your favorite food? Where did you honeymoon? Your first pets name? Name of your first car? The name of your elementary school?  Your fathers middle name? All these questions are meant to replace that used-to-be-secret-obscure word that only you and your parents would know the answer too – your mothers maiden name.

Then came Ancestry.com, Geneology.com, Google and for crying out loud Facebook. Now much of this information is available by doing a quick search online via public records or it’s easy to guess if the “hacker” is an acquaintance.

I’m a member of an organization in which I have been granted access to a bank account we have. But I haven’t accessed the account in months.  Since the last time I logged in the bank instituted a qualifying question as another layer of protection. Instead of calling the other person who was also managing the account I simply guessed the answer. “Where did you go to high school?” I didn’t know where this person went to high school but I knew where his mother lived. I entered the name of the town and BOOM, I was in.

It shouldn’t be that easy.

 

 

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

3410
 

Share

 
 
 
 
 

Channels

/security /regulation & compliance

Comments: (3)

John Dring

John Dring Digital Services and mCommerce at Intel Network Services

Agreed. I just made a comment on the PIN problem Blog along similar lines - if making a record of your PIN/Password is a no-no, then what constitutes an acceptable reminder?  How would you even note a reminder for yourself for a password of "Qhos02!" for example.  Begins with Q ?  Or maybe "Quit whining about passwords TO remember!"

And what's with the call centres that attempt to authenticate you by asking your DOB and full address, and then proceed to administer your account for you on the phone?  I could be anyone.  Especially since so many sites ask you to register the same 'bank like' auth questions these days (just to look like they care about your security)?  They could be spread around and sold like CC number lists.  I still think a text alert or email everytime your account profile is updated is a must.

Robert Siciliano

Robert Siciliano Security Analyst at Safr.me

Author

Great feedback John, Thank you.

A Finextra member 

I removed my DOB from my facebook account a while ago as a precaution against this sort of thing. Some information just shouldn't be *that* freely available!

Robert Siciliano
Robert Siciliano
Security Analyst
Safr.me
Member since
04 Feb 2009
Location
Boston
Followers
8
Following
0
Opinions
845
Unfollow

The Ultimate Guide to Passwords, Password Managers, Two Factor and Passkeys

Your Social Security number IS in the Hands of Criminals

Most Security Awareness Training is Insufficient and Should Lead to Consequences

AI Spoofed Sites Lead to $50 Million Investment Scams

How and Why “Fun” AI Generated Spam On Social Media Will Manipulate the 2024 Election

See all Opinions from Robert

More expert opinions

Tom Rowe-Jones

Tom Rowe-Jones M&A Director at LAVA Advisory Partners

Budget Busting - Rising Employer Costs and What They Mean for Mergers and Acquisitions

Ruoyu Xie

Ruoyu Xie Marketing Manager at Grand Compliance

MREL and BRRD: EU Banks’ Progress and Remaining Shortfalls

Erica Andersen

Erica Andersen Marketing at smartR AI

The Future of AI: Combating Bias and Ensuring Accuracy with Small Language Models

Kathiravan Rajendran

Kathiravan Rajendran Associate Director of Marketing Operations at Macro Global

Does the UK’s National Payments Vision really shape the Future of Payments?

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,088
Expert opinions
44,070
Total members
384
New members (last 30 days)
175
New opinions (last 30 days)
28,703
Total comments
Join Sign in

Trending

Nkahiseng Ralepeli

Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.

Blockchain Oracles in Payments: The Unsung Heroes.

Valeriya Kushchuk

Valeriya Kushchuk Digital Marketing Manager at Narvi Payments

How Open Banking, Accounts APIs, and BaaS APIs Are Reshaping Payments

Alex Kreger

Alex Kreger Founder & CEO at UXDA

How Fintechs Build Digital Brands to Conquer the Banking Industry

Kyrylo Reitor

Kyrylo Reitor Chief Marketing Officer at International Fintech Business

How to avoid potential risks when working with correspondent accounts

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept