Security questions are not secure
As I was signing up for a service today, which deals with money, I was asked to go through an extensive process in the name of security.
There was a special “security picture” assigned to me to protect me from phishing.
Then there was the ridiculous password requirements:
- 8-14 characters in length
- Must contain 2 numbers and an uppercase letter
But aside from that nonsense, the part that bothered me the most was when they asked me to set up “security questions”, you know, in case I forget my ridiculous password.
My question options were limited to a few, including these:
- What is your current best friend’s name?
- In what city were you married?
- What is your favorite book?
- What hospital were you born in?
- Who is your favorite athlete?
- What was your high school mascot?
All of which I can easily pull the answers to from a social media site, public records, or social engineering.
Which leads me to lie on all the questions in an attempt to be “secure”.
Then I’ll not only forget my stupid 8-14 character random password with two numbers in it (was it 29 or 41?) but I’ll also forget the lies I used to answer (was I married on the moon or in the pacific ocean?).
In which I case I’m sure they’ll have a mechanism where I can contact customer support and just tell them my zip code and I’ll be granted access to my account. Everything will be ok.