Zyra's front page //// Banks //// Rubbish Security //// Bank Insecure emails //// Site Index

"Mother's Maiden Name" and other bad bank security

Bank security could be much better if it weren't for two things: Ignorance and Arrogance. Well let's be positive about it, because these things can be mended. Firstly, the ignorance, which is largely naivety about security, is a basic problem which is a little bit like everyone keeping their front door key under a flower pot. The problem of people being too easy to fool into scams, is being remedied as there are pages online such as these: How to avoid ID theft, beware of bank email, avoiding scams, and the Rogues Gallery of dodgy messages, etc. If you have some good sense, you can avoid most attacks. Even knowing a few basic precautions can save you from most viruses. I'm optimistic that the level of good sense of people can improve, and I'm doing what I can to provide educational good advice!

The other problem seems to be arrogance, and it's not the folk who are to blame, but some of the banks and other big establishments, who are still operating with methods of security which are very poor. I've tried to tell them, but they still don't seem to be changing anything, so now it's time to embarrass them into getting their act sorted out.

It's not just the poor security and inability to rectify it that's the problem, but the introduction of systems which are designed to appear to be tough rather than actually being any good at all. Fake security isn't just something in banks. Airports are even worse, the notion being that by inconveniencing people they can pretend there is security, when in fact it's all a ruse. See anti-terrorist nonsense

It is this aspect, the fake security, coupled with an attitude that it's somehow acceptable, that earns it the term "arrogance".

Bank security with a secret password that's been made up, is good! What's not so good is using personal information which compromises your identity. Let's see what typical "security questions" banks ask you when seeing if you are the right person to be allowed access to your money:

1. What is your bank account number?

2. What is your name?

3. What is your date of birth?

4. What is your postcode?

5. What is the first line of your home address?

6. What's your home phone number?

7. What is your mother's maiden name?

The first question might be ok, if the bank account number was secret and was long enough like an old style Swiss bank account number, but chances are your bank account number is eight digits long and is given away with every cheque you write! So, not exactly a secret.

On the "What is your name?" it would make a lot more sense if you could have a different name for every bank account and company you dealt with, but sadly the whole thing is compromised by having the same name being reused for all of the purposes, including some which are entirely public and therefore easy for anyone to find. - Note: This idea about "having a different name for every bank account and company" is good sense and may yet be the way of things in terms of future personal security without the evils of centralised government and Facebook. Also see the method applied to email addresses

Now we get into the problem security questions, because, bearing in mind your name is not secret, your address is relatively easy to look up, including the postcode, street name, house number, etc. "Date of Birth?" might sound to be a secure question, almost as if someone would have to pry and find out when your birthday was, in a suspicious way! This fake security hides the awful insecure truth, that your date of birth is public knowledge and can be looked up in the local public register, in a similar way to that in which phone numbers and addresses are available from 192.com

It is perfectly reasonable for people to look up genealogy, family tracing, etc, so it's not surprising that public information is actually accessible. Researchers can easily find out your mother's name, and by a further enquiry, your mother's maiden name. It's no surprise these things aren't secret or secure. What IS surprising is that banks would somehow believe it's somehow acceptable to assume the information is secure!

If the bank had a big safe with the door on the outside of the building and someone had scrawled the combination lock code on the wall in chalk, I would quietly tell the bank that this wasn't good security. If, some time later, this poor security situation still hadn't been remedied, that's when I would start saying the bank was being arrogant in assuming they could get away with it.

I seem to be unable to convince all of the banks to have good security, and while the "mother's maiden name" fiasco continues it seems a disaster waiting to happen. Although I can explain to folk about good security and some will take notice, banks are a different matter. So, is there anything else that can be done to improve security? Well you can't do much about information which you're stuck with, such as your date of birth. Any type of identity based on fixed things such as biometrics is inherently flawed, and if the government were involved then it might as well be assumed to be in the hands of criminals to start with. Down With ID Cards! (Also see RFID passport problem). In contrast, real security has strength by being controlled by you, yourself. To that effect, things you make up and keep select are secure to a considerable extent, and thieves aren't mind-readers. To that effect, some of the banks are now happy for you to have a made-up "mother's maiden name" as a substitute for the actual historical name that's a public fact.

This is progress. You can have your real mother's maiden name known without any problem, discussed at family tracing meetings, and available at the public record office, and yet, when the bank asks you "What's your mother's maiden name?" you can say "Rumpelstiltskin", or whatever other unguessable name you've got agreed with the bank in advance, and which you're careful never to otherwise divulge. This is doubly good, as firstly it removes the original security hole of having a password that's publically known, but secondly it introduces a trick which completely fools the identity thieves, who will easily assume they can get through bank security by saying the name they've looked up in public records.

Update 2010/07: Progress at last! Barclays Bank have announced that customers may now customise their security questions, thus removing this "key under flower pot" problem. Some of the other banks may be making similar improvements, we will see! With the new improved security, thieves know neither the question nor the answer to the question, and it's up to you to keep it that way. Here are a few example questions which you could use:

* What's the serial number engraved in your front door key?

* What's the number plate of that car which you scrapped ten years ago?

* What's the name of your auntie's pet?

* What time is it on that broken clock which you keep hidden in a drawer?

... The thing about this type of questions is that they are relatively easy for you to answer, but very difficult for criminals to discover the answers without going to a lot of trouble. Of course you have to customise questions and answers which fit with your own situation. They need to be personal, secret, and non-standard.

Here's another approach to personal security: Write a short random number (say, 5 digits long) discreetly on every page of your personal diary, with each day having a different random number. Then choose three dates at random (x, y, and z), and make your bank security questions as follows:

1. What's the security number on date [x] in your private diary?

2. What's the security number on date [y] in your private diary?

3. What's the security number on date [z] in your private diary?

This method has additional finesse, because you can forget the dates if you choose to, and then look them up when the bank asks. Plus, even if some nosey person spied on the book, they would not be able to get all of the dates and numbers, and would not know which were the critical dates in the questions.

Final point for now: People asking you what sex you are? Downright personal! It's none of their business! (It's also very poor security). Note: Nigeria Scams almost always ask what sex you are. But they are scamsters and criminals. Maybe it's something quaint, possibly even something to do with the prostitution business in Nigeria?