Opinion: From the CSO's desk - Banks should ask safer questions

By on
Opinion: From the CSO's desk - Banks should ask safer questions

Like most people these days, I change credit cards often to take advantage of zero per-cent interest rates.

The process of activating the cards always involves a series of security questions to identify myself when I ring in to transfer funds to and from the card.

While the questions used by the different card suppliers vary, one question is common: mother's maiden name.

Am I alone in thinking that this is the most insecure security question possible? Surely a security question should be confidential and not easy to guess.

It is surprisingly easy to find out the maiden name of someone else's mother. In the UK, it is printed on birth certificates.

Some Latin countries use the mother's maiden name as part of the child's full name. Spain uses the father's last name, followed by the maternal surname separated by a hyphen or the letter "y". Portuguese names are also a combination of both names, this time the other way round.

So in both cases, it is easy to find out the mother's maiden name from documents and databases.

Thanks to growing interest in genealogy, many people now compile and publish their family tree on the internet, showing first and last name for each preceding generation, including the maiden names of all female ancestors.

In the workplace, most employers keep a next-of-kin list, in case they need to make contact in an emergency. For many people, the next of kin is their mother, and that name is available to everyone with access to the list - an unknown number, that may include everyone in HR.

On a personal front, family members obviously know the name, but what about ex-wives/husbands and former partners, who may be tempted to use the card, or make changes to the account, for a variety of reasons, including good old revenge?

As for "not easy to guess", this all assumes that your mother has a different maiden name from you.

The number of marriages in the UK is dropping, and the proportion of women who change their last name on marriage is diminishing, so many people have the same last name as their mother.

And even if your name does differ from your mother's maiden name, what if it is common, such as Smith, Jones or Patel? Anyone could take a guess and often be correct.

So what is the answer?

It is a good sign that many card suppliers and other financial services companies are starting to rethink their security questions and, in time, the old favourite mother's maiden name should be replaced.

My solution in the mean time is to accept the question, but not give the correct answer; after all, no card issuer is going to check it.


"Why ask for your mother's maiden name?

Banks and other institutions use this to verify who you say you are. This question crops up just about everywhere from online retailers to chat forum as a way of recovering passwords and account details.

"So could revealing this compromise personal data?

Potentially yes, as sometimes this is all a criminal needs to know to get your information. Once a company has your data, can it be trusted to look after it and not give it out to anyone who knows a bit about you?

"What can be done?

If you have a website that asks for this information, review whether it is a security risk and avoid including easily guessable questions. Not only will you be protecting your customer, your company will be less exposed to risk.

"Anything else?

Sometimes, websites display pages of data for you to print for your safekeeping. If you don't need that information any more, shred it. Otherwise a criminal rummaging through your rubbish bin may want it instead.

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?