Stupid security questions

If you’re going to make your customers choose and answer security questions, they should be factual, answerable, and not public knowledge. NS&I fail badly.

I signed into my account the other day to update my address (as I’ve moved house), and was prompted to add some security questions and answers. I had to choose five questions from a range of about a dozen:

What was the name of your first pet?

Fewer than half of British households have a pet. I’ve never owned one.

What is your mother’s middle name?

Guess whose mother doesn’t have a middle name? Chinese people, Japanese people, Korean people—and, yes, many British people—don’t have middle names.

Which sports team do you support?

I can’t find any numbers on this, but, anecdotally, many men and probably most women I know don’t support a team. I don’t.

However, people who do support a team are usually fairly vocal about it. Just look at their scarf, or their car.

What was the make of your first car?

A quarter of British households don’t own a car. I’ve never owned one.

What was the TV series you liked most as a child?

This is not a fact. I was a child for somewhere between 13 and 18 years, depending on how you calculate it. My memories of the television I liked a quarter of a century ago are hazy—besides which, my preferences did not remain static over this time.

What is your eldest child’s middle name?

I don’t have any children. Many people don’t. Younger people are more likely to have never had children.

What is your grandfather’s profession?

Ah! At last! A (near-) universal question. Most people know who their grandparents were, and what they did. The exclusive use of the present tense probably isn’t quite right, though.

But wait … which grandfather? Everyone has (or had) two.

In which year did you get married? (YYYY)

Like two thirds of the British population, I’m not married.

When is your wedding anniversary (DDMM)

No, really. I’m not married.

What is the first name of your eldest child?

I still don’t have any children.

Which university did you attend?

Another one I can answer! It’s not a secret, though, is it? And only about half of young people even go to university; the proportion of the entire population who have ever attended is lower.

What is the first name of your eldest brother/sister?

I can’t say how many people have at least one sibling, but the most common number of children per family is two, so it’s not unreasonable. However, it’s publicly-available information, and not very secure at all.

So there you have it. A small set of questions, few of which are universally applicable, many of which are public information that no-one would think to keep secret, and a couple of which are ambiguous.

I’d be interested to know what level of analysis and thought went into requiring and setting these questions. I’m guessing not much. Yes, I’ve complained. I don’t expect it to have much effect.

Comments

  1. James

    Wrote at 2013-01-03 17:10 UTC using Safari 536.22 on Mac OS X:

    I had a great one the other day on Virgin Money. They presented a list of eight stock images and asked me to choose one as my “memorable image”. There was no option to upload one that was actually, you know, memorable.

    I did this last week. Today, my odds of picking the “memorable” one are exactly 8 to 1.
  2. Keith

    Wrote at 2013-01-25 13:57 UTC using Firefox 18.0 on Windows XP:

    What is more annoying is when they ask for personal details that are more sensitive than the data that they are supposedly protecting: EDF want my date and place of birth, plus a ‘memorable date’ to which you can at least leave a hint (which probably gives the game away). The London Congestion Chareg payment site wants place of birth and my mother’s maiden name, plus this mythical memorable date.
    Why they don’t all allow you to create your own security question and answer as a dual factor authentication I do not understand (example – WHO was your most memorable date? What’s my favourite band/piece of music/book?)