Data Unsuitable for Authentication

It used to be that my bank rang me (on one of the regular occasions where they mistakenly block my debit card, often over payments which have been occurring regularly every month for years) and asked me to authenticate myself. These days, they ring me and make at least an attempt to authenticate themselves to me, which is an improvement. However, the conversation still goes something like this:

Bank: “Sir, if you give me the month and year of your date of birth, I’ll give you the day.”
Me: “But my date of birth is on Wikipedia. Anyone can know what it is. You can’t use it to prove I’m me.”
Bank: “…”

There should be a list of pieces of information which are considered sufficiently “public” or “well known” and so should never be used for authentication – because they are publicly discoverable or because you have to give them to large numbers of people in the course of life. There should be a website listing them, and a hall of shame for companies which use them. Those well-known pieces of information would include:

  • Date of birth
  • Current address
  • Mother’s maiden name
  • Bank account number and sort code
  • Credit card number, expiry and CVC
  • SSN (in the USA)

What else?

In general, companies should instead use information specific to their relationship with that customer. For example “last item you bought” or “last transaction you made” at a bank.

4 thoughts on “Data Unsuitable for Authentication

  1. I set up a secret word on my mobile account that they have to give me before I’ll give them any information. The inspiration came from a column by Barry Fox many, many years ago in PCW. It’s worked pretty well, the only time it falls down is when the call has clearly come from a call centre that’s been handed a long list of names and numbers and nothing else. The chap sounded very relieved when I suggested that we really didn’t need to go through the challenge and answer for me to tell him that I was happy with my new phone and contract.
    Haven’t spoken with my bank for years though. The last time I did they refused to speak to me on a wireless landline because it was insecure.
    Tim

  2. It’s also worth (explicitly) noting that it’s bad to be using unchangable info for authentication. You can’t change your birthday. Or, practically speaking, your address. SSN is a great example of this, where it’s been treated as a secret number but is fairly readily available to anyone with a modest degree of determination.

    Even worse is using these as a back-door for account recovery. Having a strong password isn’t much help if a company will reset it for you with just, say, your birth date and mother’s maiden name.

  3. Add what school you want to and the year you graduated to the list. I think about two thirds of all websites (that have user accounts at all) use these, if not for front-line authentication then for backup authentication when you forget your password. An attacker can click “I forgot my password” just as easily as the user can, so making those secure is just as important as making the password secure.

    Oh, the name of your first pet is another biggie. Anyone can find this out by social engineering. Even if *you* are smart enough to not give this information out to strangers who ask about it for no good reason, you probably have family members who wouldn’t give it a second thought. Actually, come to think of it, almost all commonly used account recovery questions have this problem.

    I think the worst one that a lot of sites actually use may be “What is your favorite hobby?” A social engineer doesn’t even have to *ask* the user anything to get that information. People just naturally steer the topic of conversation to their own hobbies on a regular basis, without reservation. If you have any access to a venue (either online or in real life, doesn’t matter) where the user ever has conversations with anyone, you can get this information just by paying a modicum of attention.

    Also problematic is that a lot of account recovery questions are composed of high-level semantic units that can be expressed in characters in a number of different ways. Non-IT-geek humans then have difficulty spelling it the same way twice. I was attempting to help a library patron the other day who couldn’t get her pay stubs because she had forgotten her password, and two authentication questions came up. She got the name of her first pet on the second try, but she tried at least six times to get the year make and model of her first car. Being a computer geek I noticed that she spelled it differently each time. (“1956chevbelair”, “1956chevrolet”, “1956 Chev Belair”, “1956 chevbelair”, etc.) She thought she was typing exactly the same thing, because semantically it all *meant* the same thing to her (1956 Chevrolet Bel Air). I tried to explain to her that computers aren’t smart enough to understand that those are all the same, because they don’t know what it means, and she needed to type it exactly the same way she had typed it when setting up the account. I’m pretty sure she had no idea what I was talking about, because I don’t think she understood that she’d typed anything different at all. People (other than IT geeks) don’t think in characters. They think in higher-level semantic units — lexemes, typically, or in this case an entire phrase that together means one thing. And I’m stone cold certain she doesn’t have any way to find out how she spelled it when setting up the account, short of systematically trying every possibility, which she clearly doesn’t think enough like a computer to do.