Security question
Encyclopedia
A security question is used as an authenticator
by bank
s, cable companies and wireless providers as an extra security
layer. They are a form of shared secret
.
Financial institution
s have used questions to authenticate customers since at least the early 20th century. In a 1906 speech at a meeting of a section of the American Bankers Association
, Baltimore
banker William M. Hayden described his institution's use of security questions as a supplement to customer signature
records. He described the signature cards used in opening new account
s, which had spaces for the customer's birthplace, "residence," mother's maiden name, occupation and age. Hayden noted that some of these items were often left blank and that the "residence" information was used primarily to contact the customer, but the mother's maiden name
was useful as a "strong test of identity." Although he observed that it was rare for someone outside the customer's family to try to withdraw money from a customer account, he said that the mother's maiden name was useful in verification because it was rarely known outside the family and that even the people opening accounts were "often unprepared for this question." Similarly, under modern practice, a credit card provider could request a customer's mother
's maiden name before issuing a replacement for a lost card.
In the 2000s, security questions came into widespread use on the Internet
. As a form of self-service password reset, security questions have reduced information technology
help desk
costs. By allowing the use of security questions online
, they are rendered vulnerable to keystroke logging
attacks. In addition, whereas a human customer service representative may be able to cope with inexact security answers appropriately, computers are less adept
. As such, users must remember the exact spelling and sometimes even case
of the answers they provide, which poses the threat that more answers will be written down, exposing them to physical theft.
The best answers are simple, memorable, can't be guessed easily, and don't change over time.
Understanding that not every question will work for everyone, RSA gives banks 150 questions to choose from.
Security expert Bruce Schneier questions the usefulness of security questions. Since they are public facts about a person, they are easier to guess for hackers than passwords. Users that know this create fake answers to the questions, then forget the answers, thus defeating the purpose and creating an inconvenience not worth the investment.
Authenticator
An authenticator is a way to prove to a computer system that you really are who you are . It is either:* A piece of data that you got from the last place where you proved who you are .* A program, usually running somewhere on the computer network, that takes care of...
by bank
Bank
A bank is a financial institution that serves as a financial intermediary. The term "bank" may refer to one of several related types of entities:...
s, cable companies and wireless providers as an extra security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
layer. They are a form of shared secret
Shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. The shared secret can be a password, a passphrase, a big number or an array of randomly chosen bytes....
.
Financial institution
Financial institution
In financial economics, a financial institution is an institution that provides financial services for its clients or members. Probably the most important financial service provided by financial institutions is acting as financial intermediaries...
s have used questions to authenticate customers since at least the early 20th century. In a 1906 speech at a meeting of a section of the American Bankers Association
American Bankers Association
The American Bankers Association is an industry trade group and professional association representing the United States' banking industry...
, Baltimore
Baltimore
Baltimore is the largest independent city in the United States and the largest city and cultural center of the US state of Maryland. The city is located in central Maryland along the tidal portion of the Patapsco River, an arm of the Chesapeake Bay. Baltimore is sometimes referred to as Baltimore...
banker William M. Hayden described his institution's use of security questions as a supplement to customer signature
Signature
A signature is a handwritten depiction of someone's name, nickname, or even a simple "X" that a person writes on documents as a proof of identity and intent. The writer of a signature is a signatory. Similar to a handwritten signature, a signature work describes the work as readily identifying...
records. He described the signature cards used in opening new account
Bank account
A Bank account is a financial account recording the financial transactions between the customer and the bank and the resulting financial position of the customer with the bank .-Account types:...
s, which had spaces for the customer's birthplace, "residence," mother's maiden name, occupation and age. Hayden noted that some of these items were often left blank and that the "residence" information was used primarily to contact the customer, but the mother's maiden name
Matronymic
A matronymic is a personal name based on the name of one's mother, grandmother, or any female ancestor. It is the female equivalent of a patronymic. In patriarchal societies, matronymic surnames are far less common than patronyms. In the past, matronymic last names were often given to children of...
was useful as a "strong test of identity." Although he observed that it was rare for someone outside the customer's family to try to withdraw money from a customer account, he said that the mother's maiden name was useful in verification because it was rarely known outside the family and that even the people opening accounts were "often unprepared for this question." Similarly, under modern practice, a credit card provider could request a customer's mother
Mother
A mother, mum, mom, momma, or mama is a woman who has raised a child, given birth to a child, and/or supplied the ovum that grew into a child. Because of the complexity and differences of a mother's social, cultural, and religious definitions and roles, it is challenging to specify a universally...
's maiden name before issuing a replacement for a lost card.
In the 2000s, security questions came into widespread use on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. As a form of self-service password reset, security questions have reduced information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
help desk
Help desk
A help desk is an information and assistance resource that troubleshoots problems with computers or similar products. Corporations often provide help desk support to their customers via a toll-free number, website and e-mail. There are also in-house help desks geared toward providing the same kind...
costs. By allowing the use of security questions online
ONLINE
ONLINE is a magazine for information systems first published in 1977. The publisher Online, Inc. was founded the year before. In May 2002, Information Today, Inc. acquired the assets of Online Inc....
, they are rendered vulnerable to keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
attacks. In addition, whereas a human customer service representative may be able to cope with inexact security answers appropriately, computers are less adept
Fuzzy matching
Fuzzy matching is a technique used in computer-assisted translation and some other information technology applications such as record linkage. It works with matches that may be less than 100% perfect when finding correspondences between segments of a text and entries in a database of previous...
. As such, users must remember the exact spelling and sometimes even case
Letter case
In orthography and typography, letter case is the distinction between the larger majuscule and smaller minuscule letters...
of the answers they provide, which poses the threat that more answers will be written down, exposing them to physical theft.
The best answers are simple, memorable, can't be guessed easily, and don't change over time.
Understanding that not every question will work for everyone, RSA gives banks 150 questions to choose from.
Security expert Bruce Schneier questions the usefulness of security questions. Since they are public facts about a person, they are easier to guess for hackers than passwords. Users that know this create fake answers to the questions, then forget the answers, thus defeating the purpose and creating an inconvenience not worth the investment.