Bank Logins and Twenty Questions

February 04, 2008 @ 3:23 am- from Maui, Hawaii

You have one of those annoying banking sites that ask dumb ass questions just so you can log on? I dropped all my cookies on my machine a couple of days ago because I've had some issues with a variety of sites recently and so I lost a ton of my login cookies with various financial instutions.

So today I went to my PayTrust billing service site figured out that I don't have the required cookie and starts putting me to the test:

What was the name of your first girlfriend?
What is the middle name of your father?
What state or province where you born in?
What is your Zodiac sign?

Apparently I flunked 'cause after several iterations I couldn't log in.

The sad part is I honestly couldn't tell you the first too. <g> The third one doesn't apply since I was born in Germany. And the last - well I'm an idiot and don't know how to spell Sagittarius. Worse I don't even remember ever answering these questions ever before.

So after a bunch of back and forth I finally got a couple of questions in tandem that I could answer and it actually let me enter my password. Then I found out - darn my account got locked and I have to call the mothership.

This isn't the only bank that's been giving me this kind of crap. My Bank of Hawaii account also has a bunch of questions along the same line and I've gone through a few rotations there as well and have not been able to connect. My ING Direct online bank account too - same thing although their system is a little bit more helpful giving multiple choice options of several questions at once, which is a little easier to deal with.

If you're going to ask me questions, ask something concrete or let me pick one or two things that I can actually remember. Instead it seems there were like 10 different questions that I had to fight through and I vaguely remember thinking at the time this is going to be trouble once I have to answer for them. And indeed it is. It's a huge time sink.

A lot of these questions are kind of personal and culturally incorrect. Asking for a state or province is obviously not going to work for me being from Germany. And while most people probably know how to spell their Zodiac sign, isn't it kind of presumptious to assume EVERYBODY knows what a Zodiac sign is in the first place? Your first girlfiend??? How do you rate that? That first kiss at age 8 or the first time in the back of the car? What if you're abstaining 'til married, never had one, or better yet are gay? Ambiguous questions are the wrong thing to ask for a security question.

In the end it took me 20 minutes on the phone (waiting mostly) with tech support to get this mess straightened out and I can look forward to the same thing next time. Ironically the PayTrust guy on the phone asked for nothing more than my name and social security number and login name. So per voice with the power to really compromise my account there's way less security than with the marginal possibility of hacking a username and password and twenty questions? Go figure...

I understand the need for security, but this kind of stuff really pisses me off because it's such a time sink. It's bad enough we have to deal with custom log on schemes for every different institution. Why can't banks use a common logon service like OpenID or Passport to facilitate the process rather than going through this kind of customer hostile crap. This may have seemed cute 10 years ago as a security measure but today it just feels just like using the wrong tools to solve password loss.

So, you got any fun password questions you've run into to share?

Posted in Personal

Feedback for this Weblog Entry

re: Bank Logins and Twenty Questions
by Nate February 04, 2008 @ 5:29 am

Dude, I hate that stuff too! They have gone way overboard with security. Online banking is supposed to be convenient. My HSBC account number is so long that I have to copy/paste it every time because I can't remember it.

I think identity verification with secret questions/answers should be optional.

re: Bank Logins and Twenty Questions
by Richard Deeming February 04, 2008 @ 5:54 am

This is "Wish-it-was-two-factor authentication", and it adds nothing to the security of your account. Your mother's maiden name? Easy to find out. Your Zodiac sign? You've just told everyone who reads this blog what that is.

Real two-factor authentication verifies that:
1. You know something;
2. You physically have something;

Wish-it-was-two-factor authentication verifies that:
1. You know something;
2. You know something else;

http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx

re: Bank Logins and Twenty Questions
by Peter Ritchie February 04, 2008 @ 6:34 am

I like the super-secure-must-have-128bit-cipher banks that don't allow punctuation in passwords and limit the password to 8 characters...

re: Bank Logins and Twenty Questions
by Aaron Fischer February 04, 2008 @ 6:55 am

I think this is what happens when business people write specks for multi factor authentication.

re: Bank Logins and Twenty Questions
by Tim B February 04, 2008 @ 7:09 am

My bank uses the same concept, and to make matters worse something has gone rogue and the authentication no longer "sticks". I have to answer one of those random questions every time I try to log in. I guess I should be happy that they at least they figured out SSL...

re: Bank Logins and Twenty Questions
by Diego February 04, 2008 @ 8:49 am

Same thing here, with Citi.

They ask, for example, what was my first car... and I've never had a frickin' car!

re: Bank Logins and Twenty Questions
by Steve from Pleasant Hill February 04, 2008 @ 8:50 am

Yeah well.

Don't like this stuff either -- but Bank of America is pretty good. I think most of the questions are mother's maiden name, father's middle name, etc.

The downside with BofA (all banks?), if you leave the country you better tell them or your ATM card gets blocked!

I don't use sites that ask for my "sign", since "No Parking Here" is not on their list!

re: Bank Logins and Twenty Questions
by Doug Osborne February 04, 2008 @ 9:56 am

Pretty much all of the banks have to utilize MFA - Multi Factor Authentication - an image and 3 or more questions randomly asked during login for verification of identity.

What we see is people answering questions and giving the same answer across the board - say foo - because everyone already has too many passwords and logins to keep track - let alone you make a typo answering one of these questions...

Interesting comments on the topic of internationalization Rick - hadn't considered that issue.

re: Bank Logins and Twenty Questions
by Doug Dodge February 04, 2008 @ 11:22 am

Gosh, my bank (Wells Fargo) is really easy to log on to. Just give them my screen name and password. My wife's credit union is the same. They (the credit union) wanted us to set up a funky deal with a picture which I think was some sort of method to a) personalize the site and b) provide a 'trigger' to remember code but we don't think of it in those terms. For her it's the same deal, account number & pin. No big deal at all.

I suspect that some of what folks are seeing is Sarbanes-Oxley related - or panic-driven design after their last breach. <s> That plus site architects who have either not been out in the sun in too long a time or out in the sun too much. Not sure which. <g> The end result is a LOUSY end-user experience.

I agree that the internationalization and personal angle are often out of whack. I see that as evidence of design inexperience.

re: Bank Logins and Twenty Questions
by Jeff Handley February 04, 2008 @ 2:09 pm

Amen! I recently went through the same thing with my bank. I wrote to them and got a stupid response. Here's my story: http://blog.jeffhandley.com/archive/2008/02/04/bank-logins-and-twenty-questions.aspx

-Jeff

re: Bank Logins and Twenty Questions
by volkan uzun February 04, 2008 @ 3:01 pm

not only struggling for passwords or hint ( they are supposed to be hints right? not quizzes ); but there is sometimes an additional step. showing u a bunch of pictures, u pick one; and the next time you login, the system tells u; hey fyi u picked water melon !! WTF,, why am i asked to pick a picture :)

re: Bank Logins and Twenty Questions
by Nick Piasecki February 04, 2008 @ 5:21 pm

Oh man, I HATE these things.

I ran into one once that asked me "What is the name of your high school?" and then prompted for an answer in an asterisk-covered password field.

Hmm ... did I type

"Princess Anne High School"
"Princess Anne High"
"Princess Anne"
"PA"
"PAHS"

... I never did find out the answer, I got locked out after two tries and had to call to get it reset.

re: Bank Logins and Twenty Questions
by figuerres February 04, 2008 @ 5:35 pm

yeah, I think banks (and some other companies) just do not get it....

this stuff only has a chnace at working *IF* the user will accept it and take it to hart.
problem is 99.9% of the time we "just want to get in and do our stuff" and the best intentions of the bank and the folks who had to make the system goes right into the crapper...

so what they really do is frustrate a lot of folks, waste a lot of time and money and they get to say they are making it more secure.

but really as has been posted by others it's still wide open to a good Soc. Eng. attack.
:-)

re: Bank Logins and Twenty Questions
by Matt Brooks February 05, 2008 @ 5:15 am

I thought NatWest in the UK were OK until recently when they really took the biscuit. To access OLB I need to enter:

My customer number, which is based on my birthday plus an ID - so other people with the same birthday can repeatedly enter my ID by mistake and lock my account!

Random digits from my PIN

Random characters from my password

Then they rolled out a card reader to some OLB customers that you have to use EVERYTIME you need modify the account - add a new payee for example.

If you don't have the card reader with you you cant make a payment to a new payee. Bang goes the mobility and accessibility of the OLB app if you ask me!

re: Bank Logins and Twenty Questions
by clown February 05, 2008 @ 5:47 am

Once I tried to login to my bank (CIBC) and I was suddenly asked my secret question. Just like that, out of the blue. So having entered the answer so many years ago and completely forgetting the exact wording (was it first street, First Street, 1st st., ...) I had to call them for help since I failed on a couple of attempts.

Well guess what one of the bozo's first question was to me? Get this, "What is your current account balance"? If that wasn't a WTF moment for me. I wasn't quite sure that the person understood that I was trying to get into my account to get the answer to that very question myself.

re: Bank Logins and Twenty Questions
by Matt Brown February 05, 2008 @ 7:46 am

Try using a banking website that requires a separate login for each mortgage (I have two of them) - that each has its separate questions - AND which will lock you out after 3 attempts. It's been a nightmare.

Great article!

re: Bank Logins and Twenty Questions
by Jim February 05, 2008 @ 12:33 pm

I came up with a standard unrelated value I give to all the questions like that. That way I always know the answer and even if someone knew me they wouldn't know the answer.

re: Bank Logins and Twenty Questions
by Chris February 06, 2008 @ 8:53 am

My old bank (Netbank, which incidentally went bankrupt) asked for stuff like "What is your favorite movie?"...because of course, THAT doesn't ever change. *sigh*

re: Bank Logins and Twenty Questions
by Kevin Lewis February 07, 2008 @ 9:25 pm

My bank requires that my password be 8 characters. Not a minimum of 8 characters, but exactly eight characters. Um, doesnt that make it much easier for anyone to brute force, since they dont have to guess how long the password is? Oh, and why do they have to jack up my roboform login, they must be doing something so that it wont allow it to autofill. Works on every other site I use. Oh, and to make things even better, I have to change my password every 60 days, and pick another unique 8 digit password that does not match any of my previous ones. Almost makes me want to switch to a different bank.

re: Bank Logins and Twenty Questions
by Nathan February 09, 2008 @ 10:00 pm

Well the FFIEC has recommended that financial institutions implement MFA, and you'll be hard pressed to find a bank or credit union that doesn't fall in line as it will be viewed as having a "competitive edge" by the decision makers.

You're right, dumb questions don't add security or provide a good user experience if it's not a question you can answer, but MFA is a fairly decent safeguard against internet banking fraud. There are quite a few non-hardware solutions out there, but making these new techniques work with legacy banking systems is often a bit wonky.

I think end users are becoming more savvy with this requirement and adding rules to how they answer these types of questions (eg: always lower case, always the short version, etc).

My favorite question that I like to add to mine login is, "What's your problem?" j/k

Don't worry about not having a unified standard for this problem, there are enough for everyone to have there own. : )

re: Bank Logins and Twenty Questions
by Ted Jardine February 13, 2008 @ 3:39 pm

"What is your current account balance." Just awesome. I have to second (or third, or fourth) the comment about security on the site compared to security on the phone. Although I must admit that on the phone, once you talk to a real person they DO ask you for your card number AGAIN even though you just had to enter it to get to a real live person already.

And same thing here with Roboform - works everywhere else (as an aside, imagine life without Roboform).