Mother's Maiden Name and other security problems at banks

Zyra's front page //// Banks //// Rubbish Security //// Bank Insecure emails //// Site Index

"Mother's Maiden Name" and other bad bank security

Bank security could be much better if it weren't for two things: Ignorance and Arrogance. Well let's be positive about it, because these things can be mended. Firstly, the ignorance, which is largely naivety about security, is a basic problem which is a little bit like everyone keeping their front door key under a flower pot. The problem of people being too easy to fool into scams, is being remedied as there are pages online such as these: How to avoid ID theft, beware of bank email, avoiding scams, and the Rogues Gallery of dodgy messages, etc. If you have some good sense, you can avoid most attacks. Even knowing a few basic precautions can save you from most viruses. I'm optimistic that the level of good sense of people can improve, and I'm doing what I can to provide educational good advice!

The other problem seems to be arrogance, and it's not the folk who are to blame, but some of the banks and other big establishments, who are still operating with methods of security which are very poor. I've tried to tell them, but they still don't seem to be changing anything, so now it's time to embarrass them into getting their act sorted out.

It's not just the poor security and inability to rectify it that's the problem, but the introduction of systems which are designed to appear to be tough rather than actually being any good at all. Fake security isn't just something in banks. Airports are even worse, the notion being that by inconveniencing people they can pretend there is security, when in fact it's all a ruse.

It is this aspect, the fake security, coupled with an attitude that it's somehow acceptable, that earns it the term "arrogance".

Bank security with a secret password that's been made up, is good! What's not so good is using personal information which compromises your identity. Let's see what typical "security questions" banks ask you when seeing if you are the right person to be allowed access to your money:

1. What is your bank account number?

2. What is your name?

3. What is your date of birth?

4. What is your postcode?

5. What is the first line of your home address?

6. What's your home phone number?

7. What is your mother's maiden name?

The first question might be ok, if the bank account number was secret and was long enough like an old style Swiss bank account number, but chances are your bank account number is eight digits long and is given away with every cheque you write! So, not exactly a secret.

On the "What is your name?" it would make a lot more sense if you could have a different name for every bank account and company you dealt with, but sadly the whole thing is compromised by having the same name being reused for all of the purposes, including some which are entirely public and therefore easy for anyone to find.

Now we get into the problem security questions, because, bearing in mind your name is not secret, your address is relatively easy to look up, including the postcode, street name, house number, etc. "Date of Birth?" might sound to be a secure question, almost as if someone would have to pry and find out when your birthday was, in a suspicious way! This fake security hides the awful insecure truth, that your date of birth is public knowledge and can be looked up in the local public register, in a similar way to that in which phone numbers and addresses are available from 192.com

It is perfectly reasonable for people to look up genealogy, family tracing, etc, so it's not surprising that public information is actually accessible. Researchers can easily find out your mother's name, and by a further enquiry, your mother's maiden name. It's no surprise these things aren't secret or secure. What IS surprising is that banks would somehow believe it's somehow acceptable to assume the information is secure!

If the bank had a big safe with the door on the outside of the building and someone had scrawled the combination lock code on the wall in chalk, I would quietly tell the bank that this wasn't good security. If, some time later, this poor security situation still hadn't been remedied, that's when I would start saying the bank was being arrogant in assuming they could get away with it.

I seem to be unable to convince all of the banks to have good security, and while the "mother's maiden name" fiasco continues it seems a disaster waiting to happen. Although I can explain to folk about good security and some will take notice, banks are a different matter. So, is there anything else that can be done to improve security? Well you can't do much about information which you're stuck with, such as your date of birth. Any type of identity based on fixed things such as biometrics is inherently flawed, and if the government were involved then it might as well be assumed to be in the hands of criminals to start with. Down With ID Cards! In contrast, real security has strength by being controlled by you, yourself. To that effect, things you make up and keep select are secure to a considerable extent, and thieves aren't mind-readers. To that effect, some of the banks are now happy for you to have a made-up "mother's maiden name" as a substitute for the actual historical name that's a public fact.

This is progress. You can have your real mother's maiden name known without any problem, discussed at family tracing meetings, and available at the public record office, and yet, when the bank asks you "What's your mother's maiden name?" you can say "Rumpelstiltskin", or whatever other unguessable name you've got agreed with the bank in advance, and which you're careful never to otherwise divulge. This is doubly good, as firstly it removes the original security hole of having a password that's publically known, but secondly it introduces a trick which completely fools the identity thieves, who will easily assume they can get through bank security by saying the name they've looked up in public records.