Kevin's Weblog

My bank has added an extra layer of security to its home banking system, in the form of “security questions”. The way this works is that you pick three questions out of a dozen or so, and provide answers. Now, when you try to log in from an “unrecognized” computer, in addition to your password, you get asked the questions as well.

Sounds well and good: just authorize your computer and don’t worry about it. Except that I have two computers I use regularly. Today I tried to log in from the second machine, and couldn’t figure out the answer to the questions. That is to say, I know the answers perfectly well, but I couldn’t remember if I capitalized, abbreviated, or otherwise obfuscated the answers. After three failures, I found myself locked out of my account.

I called customer service and easily enough authenticated myself to the woman on the phone and got her to reset everything. I explained what had happened, and her suggestion was to pick a single word and use it as the answer for all three questions. “That’s what I do.” Sigh. I didn’t take her advice, but this time I made damn sure to remember the conventions of my answers.

Bruce Schneier posted today about the accuracy (or lack thereof) of ChoicePoint and Acxiom personal reports. I wasn’t too surprised, having gotten copies of all my credit reports recently after being informed that I was one of ChoicePoint’s lucky mumble thousand. But, what I really found interesting was the last paragraph:

The most shocking error was that two people out of eleven were listed as corporate directors of companies that they had never heard of.

I recently got a solicitation from CIO Magazine informing me that I was a company executive. Makes me wonder what sort of additional bits are in these reports for me that wasn’t covered in the credit reports.

(There are some suggestions in the comments on this entry that maybe people brought this upon themselves by giving bogus information to websites or surveys asking what their position was. For a moment, I thought that maybe I did this to myself, remembering grumbling about OSCON registration at one point, but it seems like at least there I claimed something vaguely accurate.)

In today’s Cryptogram, Bruce Schneier talks about The Failure of Two-Factor Authentication. In it he mentions:

These tokens have been around for at least two decades, but it's only recently that they have gotten mass-market attention. AOL is rolling them out. Some banks are issuing them to customers, and even more are talking about doing it.

Of course, for the same reason that you’re not supposed to share passwords across multiple systems, these corporations aren’t going to let you have just one RSA token that you use everywhere. So, I’m having this nightmare of a key ring full of a dozen or more tokens that I’m supposed to lug around.

I sure hope those organizations read Schneier’s essay and realize that it won’t help.