Sunday, September 30, 2012

What Is Your Mother's Maiden Name? Gdkeref(?)

     Probably the most common “secret” questions by which an online account user's identity is supposed to be verified are:
     What is your mother's maiden name?
     What was the name of your first elementary school?
     Where did you meet your spouse?

      And in these days where everything is available on the world wide web, what is secret about them? Anyone with half an ounce of computer knowledge can often get the answers in a few minutes.
     Recently I called my bank and asked to submit new answers to my secret questions, and was told that once one has the answers established, they cannot be changed. How can your mother's maiden name be different from what it was when you originally submitted it?
     Of course, it isn't different, but that does not mean that one can't change the answer to the question. What difference does it make to the bank if you change your answer from Mabel Smith to Shirley Temple, or even to something like Brom Bones or Gdkeref? As long as you give the same answer every time the bank asks the question, you are identified, and no hacker is going to find your answer on the web in a thousand years. The same is true of any secret question.
     Some organizations have caught on to the problem, and allow one to make up one's own questions. Wonderful! You don't even need a legitimate question. Suppose I ask, “Is it warmer in the summer or in the country?” Answer: Purple. As long as I give the same answer whenever the question is asked, my identity is verified.
     For the password itself, how about something like [Gj4&sD34#6Df]? Coupled with an unsearchable secret question, the account is virtually uncrackable.
     Some financial institutions use one's email address as the user ID. By intercepting the user's email to the institution, a hacker discovers the user's ID.
     A simple way to avoid this problem is to set up an email account which is used only for the user ID. Actual contact with the institution is through the normal email account.
     For example, suppose I set up a special email account, say, which I submit as my user ID. However, whenever I contact the institution, I use my regular email account: A hacker who intercepts my message can try all day to use my email address as the user ID, to no avail. The only time the secret address is ever used, is when the institution contacts me.
     Of course, all this presupposes that one can remember to use the regular email and the answers to the secret questions. Simple enough, write it down and keep it next to your computer – not in it.
     This seems like real cloak and dagger stuff, but with ID theft becoming more prevalent, one can't be too careful.
     PS – My bank is the only institution which would not allow me to change my answers. I'm going to take another crack at them tomorrow.
     My books, “There Are Only Seven Jokes” and “The Spirit Runs Through It” are available in paperback or Kindle at Amazon.

No comments:

Post a Comment