[Big Mac]

I am concerned by the sudden proliferation of mandatory security question requirements being introduced by credit card and other sites. Security questions used to be optional and were used for password replacement requests. Now sites are using them as a poor man's additional factor of authentication, so that one's password is being depreciated as a login device. And the problem is, you have to remember the security answers as if they're additional passwords. I definitely support stronger modes of authentication due to how vulnerable the general, Windows using public is, but a proliferation of security questions and answers is problematic to me.

Here's my primary concern: I visit a number of financial sites regularly, and most of the information requested is similar. Some questions are little more obscure, however. Now what if I forget the spelling on an answer I used, or what if I totally space on one of the more obscure answers I gave? Am I going to have to resort to storing multiple Q-A pairs in my password application? If I forget these details, I'll have to go through some length telephonic process to get the account access reset, and what good does that really do for me or my security? I personally would rather see companies allow users to request digital token IDs such as SecurIDs if the companies are truly serious about security.

[FireWire]

What worries me more about this situation is that as these sites often ask the same questions, in a few years every company will know everything they need to know to hijack any other account you may have on any other site, or even your financial information. Mother's maiden name, your first pet, preferred actor, your first school, favorite color..

I bet any site I frequent could call my bank and pretend to be me with no problem..

[Big Mac]

Good point, FireWire. I guess there's not a lot of concern about this issue, judging from the lack of responses.

[CharlesS]

The other concern I have is that people who know you could very possibly know your mother's maiden name. If you used to know someone as a child, then they know what street you grew up on. Anyone who's ever visited you knows your pet's name... it's kind of scary actually.

[macroy]

Most of these implementation are a result of federal regulations for the banking industry (GLBA, SOX etc...). Add to that, many banks outsource their "online banking" to a 3rd party. So the multi-factor authentication (MFA - which isn't really actually multi-factor, but that's another topic) product they are using are one of the same. They simply pick from a litter of questions. So for some, its simply buying a product and checking off that item on their list of requirements. In fact, with some institutions, you can put the exact same answer for all the questions (i.e. just type in blablabla for all the questions).

Hard tokens are available at some banks for their top tier customers (not really justifiable to give a $40 token to someone that has $100 in their checking account - not to mention the support required for lost/missing tokens). I do like ING's implementation - which is a true multi-factor offering.

The problem is that with these things, the "crooks" are always a step ahead. There are already phishing sites that ask you to update your questions. Or better yet, some are targeting folks that haven't even registered their questions yet by asking them for the info, and then registering as the legitimate user.

[Big Mac]

I'll resurrect this thread to say I found a financial company that does things better: Chase. They don't bother with security questions. Instead, they feed your browser a cookie when you log-in. As long as you still have that cooke (you're using the same browser), you're recognized as using the same computer. However, if you use a different browser you get a security prompt that requires you to get a token sent to the email address you have on file or to the phone number you have on file (don't really know how that works). Now some will say that's easily defeated if the hacker also has the person's email login, but I think it's a decent level of protection and much smarter than security questions every other institution is relying on.

[KeyLimePi]

wow, and that's easier than remembering 'what's your favorite movie?'

Eitherway, Chase will probably change this soon. Based on your original thread, I'm guessing you weren't aware of the FFIEC's request to have all online banks initiate "multifactor authentication" before Jan. 01, 2007.

Someone correct me if I'm wrong, but while I don't think this is mandatory, banks were "requested" to comply. I think I read that about half of all banks missed the January 1 deadline, but most of them are in the process of added some additional authentication (security questions, choose a picture, etc.) Chase may choose to ignore it, but I don't think a cookie fits the FFIEC's recomended guidelines.

[macroy]

The FFIEC requirement is to implement MFA unless they have other controls that can provide the same level of security. So in essence, conduct a risk assessment, and if necessary, implement MFA. However, FI's can justify that their current security controls are adequate (which of course, will be reviewed during audits) and MFA is not necessary. I know many FI's have gotten extensions since the FFIEC guidelines were so open ended (not to mention they revised it in Aug of last year).

As for the Chase implementation, many institutions do that as well (although its a manual process, you check the box to "register" your computer).

My grip with all this is that it really isn't multi-factor. Just the same factor done multiple times. Instead of using one password, you're now asked to use 3 or 4.

[Big Mac]

Originally Posted by KeyLimePi 

Eitherway, Chase will probably change this soon. Based on your original thread, I'm guessing you weren't aware of the FFIEC's request to have all online banks initiate "multifactor authentication" before Jan. 01, 2007.

Someone correct me if I'm wrong, but while I don't think this is mandatory, banks were "requested" to comply. I think I read that about half of all banks missed the January 1 deadline, but most of them are in the process of added some additional authentication (security questions, choose a picture, etc.) Chase may choose to ignore it, but I don't think a cookie fits the FFIEC's recomended guidelines.

I was aware of the debate over multifactor authentication regulation; I did not know the outcome. I don't think security questions count as multifactor authentication, and neither does Chase's solution. Both mechanisms are contingent on a user doing something unusual - either forgetting a password and requesting a new one or signing on with a different browser. I don't think you get prompted to enter a security answers otherwise since I have not been prompted yet on the sites I use, but I could be wrong. My point isn't about multifactor authentication, it's about the efficacy and convenience of these respective mechanisms. I choose Chase's flawed solution over the even more flawed solution of multiple security Q&A pairs.

[mduell]

They should be using two-factor authentication. RSA SecurIDs can't cost that much when you're ordering a million or three at a time.

[macroy]

Originally Posted by mduell 

They should be using two-factor authentication. RSA SecurIDs can't cost that much when you're ordering a million or three at a time.

$55-$80 a pop depending on your discount (from my experience) - the problem with a hard token is the support you'll need behind it. Who's going to pay for the replacements if a customer loses/damages it? Then there's that window of time the user will not be able to access their account if a replace needs to be sent (even if its overnighted, there's till a minimum of 12 or so hours).

ING does use a soft version of RSA's software, and I think that is probably one of the best solutions out there right now - but they still offer it in addition to the security questions. So it doesn't help the OP's issue with convenience (other than the fact that you can register your computer to avoid the questions).

[torsoboy]

I have an account with emigrant direct and I was able to make up any three question/answer sets that I wanted. So with them I could ask questions like "what is my favorite taco at taco bell?" or whatever. more secure I think than "mother's maiden name".