Creating accounts online is a chore that each of us has to go through, be it for a bank, shop or some semi-legal website where you can watch your latest fix of Game of Thrones. You fill in a username and password (somehow fulfilling the ever crazier requirements) and the browser does the rest for you (if you are lucky). Pressing submit however does not give you an account: there is more stuff to fill in. This might be your bank details, address, or the dreaded set-up of security questions. Recently, I was setting up a bank account online and I had to choose from the following list (I do not know why they kept misspelling favourite):
- Where were you when you had your first kiss?
- What is the name of the band you like most in high school?
- What was your favorite restaurant in college?
- What is your oldest sibling’s nickname?
- What street did your best friend in high school live on? (Enter full name of street only)
- What was the last name of your favorite teacher in your final year of high school?
- What was your favorite movie as a child?
- What was your favorite book as a child?
- What is your oldest cousin’s first and last name?
- What was your favorite place to visit as a child?
Some of these questions have answers that are relatively easy to gather online, great security. Yet, a bigger problem is that I do not know the answer to many of these. The favourite questions do not have a clear resonant answer for me: I could probably think of one, however, I might not be able to remember it when I need to, or come to different conclusion…
Another problem is one of consistency. Depending on how my music library is organised at the time, the band I liked the most in high school would be “The Beatles”, “Beatles”, “Beatles, The”. They tried to fix this in the “best friend” question, however I do not know which street he lived on! Three questions remain:
- Where were you when you had your first kiss? There is probably at least, likely more, one person who knows where this was.
- What is your oldest sibling’s nickname? She does not have one.
- What is your oldest cousin’s first and last name? Doable if you have a cousin, but an attacker might reasonable find this out.
This left me with no security question that I knew the answer to and was secure, so what did I do? I had to compromise on security. I’m sure that’s what the bank wants. I don’t even…