Insecurity Questions

Bruce Schneier this morning posts about custom “secret” questions to be used as part of identity-verification with a bank.

His suggestions are extremely amusing, but they’re also… a little too logical, for my tastes.

I have for a while been advocating to friends and family the use of complete non-sequiturs for these sorts of things, even with the typical unimaginative sorts of questions.

Remember, the point of this sort of thing is that it’s the answer that’s important; the question, not so much so, because – especially with online banking – it’s something a potential identity thief can probably easily see, and then go hunting for the answers to – or just guess. “Where did you grow up?”, “What’s your favorite food?”, “What’s your mother’s maiden name?” and “What’s your favorite color?” are the kinds of things you can often figure out from someone’s MySpace page or Facebook pages…

…if they’ve answered honestly.

What I used to recommend is that your answers to these sorts of so-called “secret questions” be completely unrelated:

What’s your favorite color? Harry Potter
Where did you grow up? Ubuntu
What’s your favorite food? Royal Canadian Air Force
What’s your mother’s maiden name? Embezzlement

However, after being appalled by the number of people who seem to conduct their banking over the phone on public transit, I’ve revised my stance on this such that I think you should fabricate an answer to each question which could be an (untruthful) answer to a different question.

Thus, supposing that your favorite food is pizza, you grew up in Texas, your favorite color is green, and your mother’s maiden name is Johnson, you’d set your “secret” answers to be:

What is your favorite color? Ozbourne
Where did you grow up? Cinnamon-raisin bread
What’s your favorite food? Magenta
What’s your mother’s maiden name? Michigan

This, IMO, has the advantage that not only are the answers not easily guessable or discernible from your social-networking sites, but anyone who overhears your answer to one of these questions will almost certainly assume that the answer goes with the “wrong” question… and I can think of few nobler goals than confusing and thwarting identity thieves.

Published in: Geekiness, General, Security | on April 30th, 2010| No Comments »

You can leave a response, or trackback from your own site.

Leave a Comment