The CNN article Bank to require more than passwords describes Bank of America’s plan to query web site users for personal information after they enter their passwords. The idea is to more firmly establish their identity.
It makes me wonder, though. Why bother with the password at all? How well would an authentication system work if it asked for a username and the answer to one of a dozen or so personal questions?
When you registered with the site, you would answer questions such as this:
- What are your children’s’ names?
- What was the year, model and color of your first car?
- In what year and place was your spouse or SO born?
- What is your mother’s name and birthday?
- What size shoes and shirt do you wear?
- What is your favorite breakfast?
- What time do you get to work and how do you get there?
The common theme is that all of the answers are easily remembered by the right person, largely unknown by the wrong person, and long, discouraging dictionary attacks.
ING Direct (Orange Savings) is doing this already. Along with the username and password,
they also ask you for one of the various pieces of info that the collected when you opened
your account. Each time they display the login screen, they want a different piece of
info.
None of these questions represent a serious hurdle for even an amateur private investigator.
These questions are pretty easily social engineered out of the target in just a few minutes.
How hard would it be to get YOU engaged in a conversation about your first car? How hard would it be to guess your shirt size? Do you know how easy it is to find the names of someones children?
The best thing is, if the bank asks a question you can’t answer, you just start over to get a different question.