tssci security

What does your father's middle name, first car, and high school mascot all have in common?

My bank recently upgraded it's architecture and web site, adding more features and "improved security." After logging in, I am directed to a page greeting me asking to update my account information and "security challenge questions." The drop-down menu of questions available (had to choose 5):

Wow, what a list! Surely all my friends know what car I drive and what our high school mascot is. A little research will tell them my father's middle name and asking around can come up with answers to several more questions. So how do you deal with such supposed "security," where it's required? Surely, I can't count on these questions protecting me... so here's a tip: Pick a question you will remember using, and choose an answer that has nothing to do with that question, but only you will know. For example,

  1. What is your father's middle name? A.) Dogbert
  2. What was the model of your first car? A.) Chess
  3. What month was your youngest sibling born? A.) 2112

The nicest part of the upgrade was the enhanced security:

I really like seeing the last time I was logged in on any system that I use, be it online banking or my web and database servers. It's like network security monitoring, or IDS... Unusual periods of activity should raise a red flag, and you should react accordingly to it.

Posted by Marcin on Wednesday, January 24, 2007 in Security.

blog comments powered by Disqus
blog comments powered by Disqus