Wednesday, July 18, 2007

Why all the banks are suddenly asking security questions

I've grumbled before about the security questions banks are increasingly introducing as part of their anti-phishing online security measures. So many popped up so quickly I figured there must be some kind of regulation driving the floor -- and sure enough, there is.

It turns out that in Oct. 2005, the Federal Financial Institutions Examination Council (FFIEC -- an interagency federal regulatory body) adopted a new guidance policy suggesting banks use "multi-factor authentication," which is industry jargon for "more than just an ID and password."

Genuine multi-factor authentication systems draw on at least two of three different authentication systems: information the user knows (a password, a PIN, the answer to a security question), something the user physically possesses (an ATM card, a password-generating key fob), and something the user is (biometric identifiers like fingerprints or retina scans). FFIEC's guidance doesn't tell banks what system to implement, but it calls single-factor authentication "inadequate for high-risk transactions."
Security questions aren't true multi-factor authentication, because they rely on only one authentication axis, "information the user knows." The most pragmatic way to implement genuine multi-factor authentication for online transactions would be for banks to use geo-location tools or IP address locking to restrict account access to registered "home" machines. However, customers would understandably freak out about this -- travel and dynamic IP allocations would make it a nightmare. Issuing key fobs with dynamically changing passwords, a method some companies use to secure access to their internal networks, is another option, but also a complicated and costly one. I have financial accounts in at least eight places. Do I really want to try to keep track of eight password-generating gadgets? And do the banks want to spend zillions replacing them and fielding irate customer-service calls?

So, instead, banks are instead looking to comply with FFIEC's edicts with what the agency calls "layered security," which FFIEC considers sufficient to meet its requirements, even though it's not as strong as the multi-factor authentication it recommends. Banks were given until the end of 2006 to put systems in place, which is why so many went into place in such a short timeframe.

I appreciate that banks are making a genuine stab at protection by using esoteric questions for their verifications, but it's also getting massively frustrating. Today's rant was promoted by logging into my Providian credit card account and discovering that it now wants me to pick questions and give it answers. The problem is, I can't answer most of the questions it asks.

What was your favorite college year?

I have no idea, and how would I count college "years," since I took ten to finish my degree?

What was the last name of your first grade teacher?

I have absolutely no idea. I can barely remember the last name of my current boss.

What is your eldest child's middle name?

I don't have kids. David, does River (our eldest cat) have a middle name?

What is the middle name of your eldest sibling?

I don't have an older sibling. I suppose I can use this question and go with the middle name of my *only* sibling.

What were your wedding colors?

Wedding colors!?! They're kidding, right? People have wedding colors!?!

What is the first name of your grandfather (your mother's father)?

I have no idea -- all my maternal grandparents died before I was born, and my mom also isn't around to ask.

Sigh. I think I can scrape three questions out of these to answer, but just barely, and only by cheating (cats can count as kids, right?) and making up things I seriously hope I'll remember. This could get very annoying.