I locked myself out of my online banking application the other day, the result of having flunked its “are you really you” verification system twice. It was asking me, after having punched in my giant bank card number and my password, what my favorite author was. You know why it does this, of course. But I was thinking that it might be kind of pointless.
The challenge-response system of security is great as an additional level, but I’ve come to the conclusion that it’s probably the weakest part of the system. Weirdly my banking password is stronger than any of the challenge-replies I could think of, inasmuch that it would be much harder to break my password than break any of the challenges. If you could guess my password, the odds are really good you could guess the answer to any challenge-response system out there on the Internet. Obviously this is entirely dependent on you knowing me, but consider the number of people in the world who know
- your mother’s maiden name…
- what your first pet’s name was…
- who your favorite sports team is…
- where you were born…
- what year you graduated from high school…
- what your first job was…
… among many others. OK, so the list is basically confined to your mom and your spouse and maybe some other family members, but the point is still the same: this kind of attack is trivial if you know anything about the person who owns the account you’re trying to compromise. And you may only need to know one of those things, depending on how broken the system is. Arguably, the dumber you are, the easier it is (though in fairness it should be pointed out that this kind of system may or may not have played a role in the break, not that this excuses anything).
There’s an obvious fix for this — let users craft their own questions — but I’m not sure why it isn’t more widely deployed.
And why did I manage to lock myself out? Because I couldn’t remember who my favorite author was. Was it author C, who’s been on my mind a lot lately? Was it author O, who I used to like a lot and haven’t read much of lately (okay, she’s dead and I’ve read everything)? Was it author F, who I use when I’m trying to sound smart and sophisticated (what, was I trying to impress the security robot)? Was the answer case-sensitive?
I never found out. The bank gave me two strikes; I blew it both times, and that was it.