
Your Mother’s Maiden Name Is Not a Secret - QAPereo
https://www.nytimes.com/2017/12/28/opinion/sunday/internet-security-questions.html
======
Aardwolf
Does anyone know the cause of the large and long standing difference in
banking in US vs Europe?

In europe:

-for 15 or so years already, web banking has been with 2nd factor authentication (since its inception I assume). In previous decades we would get devices where you need to type numbers from its lcd screen into the webpage login. Today mobile auth apps are taking over.

-I have never seen a bank have security questions like "mothers maiden name" as backup. No backup questions at all. I guess you go to the bank's office if you forget it?

-"wiring" money between european bank accounts is free (and not called wiring, not sure what in english though), for as long as I remember. It's not some special type of transaction, it's the main way to pay bills, get salary, pay each other, ...

-paper cheques don't exist since over a decade

When I hear how US banking is, it somehow evokes images of an old stuffy 70's
office to my mind... lots of paper, maybe a slow cobol mainframe somewhere,
which can only support 8 character passwords in all caps or something like
that...

~~~
johnnyb9
\- We don't use 2FA authentication, I guess because there are more cost
effective ways of verifying our identity (probably not going to last much
longer with all the breaches)

\- ACH in the USA is free and fast (one business day)... and that's the main
way of receiving salary, paying bills, etc. Is Europe really any better in
this regard?

\- No one uses paper checks here either...

~~~
BinaryIdiot
> No one uses paper checks here either...

Source on that one? I've found that people outside of the tech bubble use a
paper check at the very least once a year and most likely once a month. I have
seen plenty of apartments, renters, even a mortgage company just a few years
ago that required payment still in paper checks in the USA.

I'm going to assume your suggestion is anecdotal. It is certainly in decline
but it's still widely used.

Check out this article
[https://www.bloomberg.com/news/articles/2017-07-26/why-
can-t...](https://www.bloomberg.com/news/articles/2017-07-26/why-can-t-
americans-give-up-paper-checks)

~~~
Amezarak
That 38-per-year number seems ludicrously high. The last time I wrote a check
was five years ago, for an earnest money deposit, and I don't know anyone who
writes them much more often than I do other than a few elderly people, who
still use them as their primary means of payment.

------
ademup
Every time I'm confronted with these types of questions I just roll my eyes
and add a 'Mothers maiden name' text entry to my password manager with a 16
digit random string.

~~~
waytogo
OT: Just wondering why so many people are using password managers. When you
use a password manager you have one single point of attack and failure. I
wouldn't like to give all my credentials to one single entity.

~~~
grzm
The password manager is typically on a machine you control. If your machine is
owned, you've got issues regardless. A password manager provides a way to
effectively utilize higher-entropy, per-account passwords. As with all
security-related matters, it's a tradeoff. I expect many choose password
managers for this reason.

~~~
Kiro
Pretty sure the typical password manager user does not control the machine.

~~~
grzm
In terms of physical control of the machine? In terms of what software is
loaded on the machine? Would you elaborate on what you mean "typical password
manager user" and "does not control"?

------
yawaramin
I feel like this article takes a lot of words and time to suggest the
reasonable solution: make up fake answers to security questions and store them
somewhere, preferably a password manager. Sure, it would be greatly preferable
to use 2FA and people should really get on that, but lamenting on all the ways
security questions can be inappropriate for people when there's an obvious
solution feels like drawing it out for the sake of filling up that word count.

~~~
zaptheimpaler
Sure there are workarounds we can use as consumers, but getting the message
out there will help push the companies to a better system. Something like 2FA
over SMS is common in other countries and way better. Journalism is helping
give security a bigger mind share in the public eye so they can understand how
current systems are flawed and demand better ones. Its a good time to tackle
the problem given all the recent hacks/leaks (like SSNs). Corporations will
only budget for this stuff when their users demand it.

------
saagarjha
> And how many Indian- or Brazilian-born users went to a high school without a
> mascot, or grew up on a street with no name?

Was helping my (Indian) grandfather and came across a similar issue–very
little applied to him. We finally got him to settle on some questions, but
then when he forgot the password and went back to reset it, it kept dinging
him because one of the questions was like “what was your third grade teacher’s
name” and he had forgotten how he had Anglicized it.

------
nkkollaw
My bank (Fineco) requires passwords to be 8 characters.

Yup, I don't mean minimum or maximum, but exactly 8 characters.

That's got to make brute-forcing about 1,000,000 times easier, and I cannot
think of a single good reason to impose this.

I bet huge numbers are "12345678" and "password".

~~~
Latty
> I cannot think of a single good reason to impose this.

Good? Definitely not, but my money is on CHAR(8) and a lack of understanding.

~~~
mitchty
Dollar to a donut, there is or was a mainframe involved in authentication that
has an 8 character password. I even bet the company that sold it was IBM. I
remember finding out at one job that the "reason" for the 8 character password
requirement for one of our logins, was "you can type as much as you want, but
eventually we just take the first 8 characters and use that to log you into
the mainframe as thats all it accepts".

Mainframes are weird, and not all that dynamic.

~~~
Latty
I remember DB2 had some weird limits. I think it was something like database
names couldn't be more than 8 bytes, which was something to do with some
filesystem on z/OS or something that couldn't have directories with names
longer than that (probably not quite right, but it was something like that).

~~~
mitchty
z/os, oh how I remember interfacing with thee, and hating every minute of it.

From what I remember you're spot on, every "file" or "record name"/whatever
(mainframes are not unix) was restricted to 8 characters and upper case, also
EBCIDIC just because IBM. So many silly legacy things around those mainframes.

That said, they literally never had an outage on it the entire time I was
there so +1 for reliability and availability. They even replaced the whole
mainframe piece by piece.

------
tempestn
Best line in this article:

 _Then there’s the State Bank of India’s vertiginous “What is the website that
you rarely visit?” which reads like a Zen koan whose purpose is to make you
reflect on the unknowability of the answer._

(Although, I think it could actually be a decent one for some people; you
could probably mentally associate it with a specific site and have a decent
chance of remembering in the future. Not as good as random answers stored in a
password manager, but better than most security questions.)

------
caseysoftware
Mother's maiden name is one of the easiest. If she's on Facebook, odds are
it's listed because that's how her high school friends knew her.
Alternatively, if grandma & grandpa are listed, you can go there too.

I've been presenting on these flawed questions for years. In one of my demos,
we take a volunteer from the audience and we see how many of the top 10
banking questions we can answer from their public Facebook & LinkedIn
profiles. I've never gotten less than 4 or more than 8.. and - as an attacker
- I'd take those odds.

------
dizzystar
I give the bank a fairly obvious fake last name they could spell without
asking me, since it's famously attached to a bumpkin. I get a lot of strange
looks for that one. I can barely remember how to spell my mother's maiden name
since it wasn't anglicized.

Interesting to note that overseas support really struggle with a lot of these
security questions. So many are central to the Western world and they can't
seem to spell it at all because they aren't familiar with our culture.

I never once felt like those security questions are secure at all. Some are
just horrible, especially the maiden name one and birth city. Granted, the
password manager works well for technical people, but it doesn't work for non
techs or anyone who's had a bank account for more than ten years or so.

~~~
brewdad
Thankfully, I have zero ties to my birth city since my parents moved to a
different state before I was a year old. Sure, it wouldn't be hard to find in
a records search but it's not going to be sitting there in my social media
profile at least.

------
hnonlyforu
It's worse for me, cause Chinese people don't change names when married. It is
zero-effort to learn the maiden name since it is still their actual name.
However, many Chinese websites still have this question available.

I always give a fake name/addr/, etc. Very hard to remember all those answers,
before I know how to use a password manager.

------
AndyMcConachie
If you want an absolutely egregious example of how bad this can get here is an
article I wrote a few months ago about the security practices of an American
Credit Union.

[https://metafarce.com/lafayette-federal-credit-
union.html](https://metafarce.com/lafayette-federal-credit-union.html)

------
MistahKoala
Those of us with double-barreled surnames have been keenly aware of this for
quite some time.

~~~
ufo
Another thing I am surprised no one mentioned yet is mothers who didn't change
their last name after marrying.

~~~
astura
...or whose mothers never married at all... Or people who don't even have
mothers at all.

The assumption is also that your mother's maiden name is different from your
own name. Which is a very questionable assumption.

We certainly show our cultural biases when coming up with these questions.

~~~
stevekemp
> Or people who don't even have mothers at all.

That intrigues me. I can imagine not having a living mother, or even a mother
who died before/during/after childbirth.

But I can't imagine how it is possible for a child to have no mother at all.
Is there a situation that you demonstrate ?

~~~
twobyfour
A child whose father(s) commissioned an egg donor and a surrogate?

An adoptee (of a father or fathers) who never knew who their mother was?

An orphan who never knew who their mother was and lived in an institution
their entire childhood?

Sure, everyone has at least one biological mother. But there are plenty of
people who don't and never will know their biological mother's name.

------
nickjj
I always thought security questions were a ploy to get you to take surveys
without explicitly being told you were taking a survey.

If your bank (or any company who has your gender and birthday) asks you what
your favorite color is, they could now come up with stats such as "83% of
women in between the ages of 23 and 38 prefer purple". That type of data could
be sold to and be used by clothing vendors and other businesses.

It's also 1 more data point collected on your private life.

~~~
llukas
In EU they need to explicitly state that data is collected and reason. Data
uses for authentication cannot be used for marketing.

------
mmcnl
This seems to be primary an American thing. I have never experienced the usage
of security questions with non-American companies. Even Apple uses it, which
is weird considering they're so proud of their privacy-first strategy.

------
cmurf
Set a "verbal password". Most banks support these, but most customer service
reps haven't heard of them (this is slowly improving). And it seems if you
"forget" this verbal password there's no guarantee the bank won't give you an
alternate work around like asking for more answers to stupid security
questions.

Anyway, it's worth a shot: [https://krebsonsecurity.com/2017/11/simple-
banking-security-...](https://krebsonsecurity.com/2017/11/simple-banking-
security-tip-verbal-passwords/)

------
chx
I'd say my mother's full maiden name is pretty hard to find (I am not
American) -- until, of course, someone finds it in one of the breached
database dumps. If I were indeed using her name.

------
u801e
What banks should really do instead of just using passwords or 2-factor
authentication is to use client TLS certificates in addition to the standard
username and password.

The bank can advertise instructions on how to generate a certificate signing
request, have you bring it in when you open an account, have the bank issue
you a client certificate and have them give you instructions on how to import
it into your web browser. The bank can also tell you to do this for each
device you plan to use to access your online account(s).

~~~
motherdearest
I can just imagine my mother getting flustered after reading the words
"certificate signing (sic?) Request" and stop reading at "client certificate".
I can think of very elaborate security measures. The trick is to make them
sound easy and relatable to a ranch hand and 1960s housewife. These people
smart but they don't have the same life experiences

~~~
u801e
It may sound difficult at first, but with plenty of help (step-by-step
tutorials, etc.) provided by the bank, then it shouldn't be too hard to
implement. It could be started as a trial for a certain subset of customers
and then rolled out to larger and larger groups as time goes on.

Banks could provide an incentive by stating that using this is much more
secure than just using a password, and that it's also largely automatic
(unlike 2FA).

~~~
sethammons
In school, did you ever do the "give instructions to make a peanut butter and
jelly sandwich" activity? I'm guessing not.

I'm willing to bet you could have a video with transcript and pictures of the
user's exact home set up and many people still couldn't figure it out. You are
dealing with people who still don't understand why you don't have to double
click links since they have to double click apps and don't know the difference
between Google, the Internet, and Internet Explorer.

People are often stuck with modes of thought and operation from when they were
younger, and for many, that was pre-computer. At work, we got a hand written
letter asking for support setting up their account because they were having
trouble with their email that their daughter set up (despite ample support
options on the site).

~~~
u801e
> I'm willing to bet you could have a video with transcript and pictures of
> the user's exact home set up and many people still couldn't figure it out.

I think you're giving most people less credit than they deserve in terms of
figuring things out. Yes, there are people who are technically illiterate, but
they probably still conduct most of their business in a manner similar to the
pre-commercial internet days. That is, they either use the bank teller drive-
through lanes, ATM, or go inside the bank to do banking business. They may not
even try logging into their online account.

But that doesn't mean that the bank shouldn't provide options for the more
technically literate users who either already understand the concepts or can
pick it up with some step-by-step instructions.

I certainly don't like banks providing half-baked security solutions like
easily guessable "security" questions or passwords that can only be up to some
relatively short length and highly restricted character-set which can be
brute-forced or easily obtained from a plain-text dump of their compromised
database.

~~~
sethammons
:) "most" vs "many."

I don't think most users would have a terrible time. I think most users would
not bother with setting up anything fancy, but could if they had ok
instructions. But I think there are many who would absolutely flounder. As a
technical person, I would like more security for sure.

"Security" questions should be gone. Everything important should be 2FA or
have a key fob. I think just about everyone who has a phone and does online
banking can understand "input the code we just texted you."

~~~
u801e
The key fob (or equivalent application on one's phone) is a better option
compared to email/SMS based 2FA since the latter is not secure [1] [2]). The
latter is still a lot like the half-baked security measures I mentioned in my
earlier post.

I still think having certificate/private key imported into my browser as a
one-time (or periodic) task more convenient compared to having to use a key
fob or soft token from a phone app everytime I have to log in.

[1] [https://techcrunch.com/2016/07/25/nist-declares-the-age-
of-s...](https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-
based-2-factor-authentication-over/)

[2] It's a general problem of people using the same password for one's email
account or cell phone service account and their online bank account

------
erroneousfunk
In a computer security class I had at Harvard, the professor made the comment:
"Your mother's maiden name is considered a 'secret.' Which is funny, given the
building we're in."

We were in the Maxwell Dworkin building, named after the surnames of Bill
Gates' and Paul Allens' mothers. Their mothers' maiden names were literally
carved in a huge stone sign outside the building.

------
Abishek_Muthian
Considering the security question forms are brute-force proof, I think it's
better to keep fictional answers which cannot be accessed by social
engineering for these questions.

In India we have SMS based 2FA for transactions in spite of these questions,
Some Chinese banks seems to provide HW based 2FA for general accounts.

------
tsycho
Haha, that's why I have been using a made up "mother's maiden" name for the
past 5 years!

~~~
gregmac
That's not really any better. If a site is hacked that has your made up name,
that gets published on the carder sites [1] along with your other information
(email, credit card number, phone). It may not work to get a new credit card
in your name, but it can be used to reset your password on some other crappy
site that uses that information for "forgot password".

[1] [https://krebsonsecurity.com/2017/12/the-market-for-stolen-
ac...](https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-
credentials/)

~~~
kstrauser
My mother's maiden name on exactly one website is
"X729gD9naatotKORNKkuV0BwSm4A8GnL". On another it's
"7RQCpeaG66ffxxgEoUKwvcSZfj6hEZ3Z".

~~~
jjeaff
That may work in cases of online password resets, but I believe it has been
demonstrated that they are not great for social engineering reasons. A hacker
can just say, "oh I just mashed the keyboard for that" or worse, the agent
thinks it is an error or glitch and let's the hacker in.

I think best to use a real, but different last name on all your sites.

~~~
yawaramin
Do most websites have call centres where you can try to trick agents? Also,
how gullible are call centre agents at financial institutions? If they're
really giving out access to random people claiming to have forgotten the
security answer, it's pretty clear-cut the bank should be on the hook for
damages if money gets stolen. Nothing like the prospect of having to pay out
damages for gullible call centre agents to motivate training agents to be
smarter.

~~~
motherdearest
Additionally many institution's gaurd against this by having systems that hide
the security question from the customer service representative and only
authenticate on a correct answer. If they are showing the "secret questions"
to their entire customer service department you don't even need to worry about
outside attacks because your organization is ripe from the inside

------
arikrak
Most sites just send password reset info to your email. I thought these
questions are usually used just as an extra layer on top of that? So someone
would need to hack your email and guess your question, which makes it less of
an issue if you keep a secure email account.

------
zulln
Wrote about this a week ago: [https://labs.detectify.com/2017/12/20/security-
questions-are...](https://labs.detectify.com/2017/12/20/security-questions-
are-not-secure/)

------
PeterStuer
Sites? When I call my bank to de-block my debit card after 3 wrong PIN
attempts, they use the same 'security questions' to 'secure' the call
(establish that it is truly me calling).

------
exabrial
In 2018, anyone here that is working on an internet facing application should
push for TOTP or U2F, please. Texting, security questions, et all, are nothing
but security theater.

------
senectus1
Until very recently my bank here in Australia was limiting the complexity of
passwords.

no more than 10 characters, no special characters.

utterly ridiculous.

~~~
dukeflukem
Name and shame em

~~~
senectus1
Used to be called Police and Nurses.

Now its P&NBank.

But they've just relaunched their whole digital banking solutions... its a lot
better now.

------
keir-rex
It is a secret if you answer the question incorrectly and only you know what
the real-fake answer is!

------
HenryBemis
I wonder if all this Mother's Maiden Name secret started in The Exorcist(?)

------
waytogo
tl;dr security questions are insecure because most questions are flawed (like
what's your mother’s maiden name)

------
aylmao
no shit

~~~
dang
Please don't post unsubstantive comments here.

