If you’re going to make your customers choose and answer security questions, they should be factual, answerable, and not public knowledge. NS&I fail badly.
I signed into my account the other day to update my address (as I’ve moved house), and was prompted to add some security questions and answers. I had to choose five questions from a range of about a dozen:
What was the name of your first pet?
Fewer than half of British households have a pet. I’ve never owned one.
What is your mother’s middle name?
Guess whose mother doesn’t have a middle name? Chinese people, Japanese people, Korean people—and, yes, many British people—don’t have middle names.
Which sports team do you support?
I can’t find any numbers on this, but, anecdotally, many men and probably most women I know don’t support a team. I don’t.
However, people who do support a team are usually fairly vocal about it. Just look at their scarf, or their car.
What was the make of your first car?
A quarter of British households don’t own a car. I’ve never owned one.
What was the TV series you liked most as a child?
This is not a fact. I was a child for somewhere between 13 and 18 years, depending on how you calculate it. My memories of the television I liked a quarter of a century ago are hazy—besides which, my preferences did not remain static over this time.
What is your eldest child’s middle name?
I don’t have any children. Many people don’t. Younger people are more likely to have never had children.
What is your grandfather’s profession?
Ah! At last! A (near-) universal question. Most people know who their grandparents were, and what they did. The exclusive use of the present tense probably isn’t quite right, though.
But wait … which grandfather? Everyone has (or had) two.
In which year did you get married? (YYYY)
When is your wedding anniversary (DDMM)
No, really. I’m not married.
What is the first name of your eldest child?
I still don’t have any children.
Which university did you attend?
Another one I can answer! It’s not a secret, though, is it? And only about half of young people even go to university; the proportion of the entire population who have ever attended is lower.
What is the first name of your eldest brother/sister?
I can’t say how many people have at least one sibling, but the most common number of children per family is two, so it’s not unreasonable. However, it’s publicly-available information, and not very secure at all.
So there you have it. A small set of questions, few of which are universally applicable, many of which are public information that no-one would think to keep secret, and a couple of which are ambiguous.
I’d be interested to know what level of analysis and thought went into requiring and setting these questions. I’m guessing not much. Yes, I’ve complained. I don’t expect it to have much effect.