Security Reminder: Your Mother’s Maiden Name Is Not a Secret

Your mother's maiden name is probably not a secret. Neither, necessarily, is your high school mascot or the size of your car payment. But some banks and brokerages still pretend this is information only you would know, and that could be putting your money at risk.

So-called security questions long ago outlived their usefulness, since they can be hard for the right people to remember and easy for the wrong people to guess or steal.

"Relying on questions and answers is absolutely brain-dead, but a lot of banks do it because they're not equipped to implement anything else and regulators aren't mandating alternatives," says security expert Avivah Litan, vice president and analyst at Gartner Inc.

Financial institutions disagree, saying "knowledge-based authentication" -- especially questions based on less readily available information, such as data in your credit report -- can be an effective way to identify customers.

"No security measure is perfect, but knowledge-based authentication is certainly more granular and more effective than shared secrets, such as your mother's maiden name," says Doug Johnson, senior vice president for payments and cyber security at the American Bankers Association.

Yet repeated database breaches mean that tons of once-private information is now in criminal hands. Security questions and answers were among the data stolen from 1 billion Yahoo accounts in 2013, for example, and criminals answered questions drawn in part from credit report data to access more than 700,000 taxpayers' transcripts at the IRS.

You don't have to be a hacker or even very persistent to find the answers to some security questions. Many people post information such as birth dates and pets' names on Facebook. They may link to family members, including their mothers. (If you can't find a maiden name that way, try genealogy sites such as Ancestry.com.) Data brokers legally hawk addresses, phone numbers, birth dates and...

Comments are closed.