That's why you don't answer those questions honestly. My mother's maiden name is always a random 32 character string living in my KeePass database...
Combine this with similar unique answers to other questions and the chances of someone guessing them all become really small.
One thing I never tried is to just put something like Anyone_trying_to_reset_this_password_is_a_hacker_DQWIqw12E^1&UTFD@&$. Might be an inconvenience if you actually need to reset yourself.
Personally I include many literary/media characters. Even my name on this site.
Instead of a gibberish generator (ala password managers' defaultly-generated passwords), use a _word generator_. Something like "correct horse battery staple" except, you know, not the popular words.
Then, of course, make sure to include those secrets in your password manager.
How would the call center know if your mother's maiden name is actually Smith if you never answered the question honestly?
I could see the "It's a lot of random letters and numbers" response working by itself though.
"Hello Mr Thombat, I can see your account number but first I just have to ask you some security questions...what was your grandfather's occupation?"
"That's fine ... now what was the name of your first school?"
"(nervous giggle) Sasquatch"
"Ahhh...and was your first pet's name?"
"Sasquatch, too. I mean too as in also, not two as in the number...I really didn't expect I'd be telling these to a person, it was just a nice word to say..."
He kindly overlooked my embarrassed tittering, didn't go all jobsworth about this horrific breach of security best practice, nor yet accuse me of lying to one of Her Majesty's civil servants for pecuniary advantage. And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit.
Operator: What is your mother's maiden name?
Hacker: Smith (let's say this is the real name, gleaned from public records)
Operator: That's not what I have here
Hacker: Oh, you know what, I think I just put gibberish when I signed up. I thought that would add some extra security, but I forgot what I wrote, ha ha, joke's on me. The real name is Smith though.
Operator: Story checks out, I'm giving you access to the account now.
Operator: Story checks out, I'm going to reset it to "Smith" for you.
It's security through obscurity, with a bonus that the people who use this technique can't seem to keep quiet about it so it's not even obscurity.
Perhaps that's just the way it should go down in a case like this. But there are costs to making the decision to close off the potential for social engineering as thoroughly as possible.
As a follow-up to my experience, I guess I should expand on the consequences for us. The bank admitted fault, but to protect themselves from a bad employee doing it again in the future, now when we call we have a special voice-only password and PIN, and we have to answer a battery of questions that are clearly pulled from a credit bureau (you know, the types of questions like "You had a mortgage in 2005, what was the street the property was on" and such things. Takes 10 minutes to get to "Thank you sir, how can I help you today" if we ever have to call customer service.
Based on that experience, I think perhaps the bank should make that the answer to recover a deeply lost account. They gave a stranger the credentials to our account -- not just the password, but they had to tell them the login, and disable two-factor authentication (because the login is built from a PIN and RSA code) based on a plea for help. I can see forgetting your password, but who forgets everything? That should be a huge red flag.
I could rant for a long time. I had a pointed discussion with a manager at the bank about how getting five repeated, fruitless requests to change credentials on an account didn't somehow trigger any protective response. How hard would it be to implement a counter that says "okay, after the second attempt to gain access by voice to an account that is denied for lack of authentication, all future calls for this account go directly to the security department for personal attention"? I got no good answer other than a lot of "yes sir, this was completely wrong, sir, I'm sorry, sir" etc.
Obviously, access to a banking account should have a pretty high bar even if that means some people may well end up in difficult situations where they've lost access to their money and the bank can't/won't do anything about it based on a phone conversation.
Q: "What is your mothers maiden name?"
A: "Do not provide access under any circumstances unless this exact key is provided: WEWQEWQ321312"
"Sorry I did not hear, but there seems to be a problem with our computer system I am getting an error message instead of a name, please can you call back later".
Screen shows them: "Do not provide access und" 25 character silent truncation.
Definitely more plausible as a pets' name than a maiden name.
The bank person was really weirded out when I said it back.
a. Have your name tied to your Hackernews profile
b. Have your bank account security question tied to your Hackernews profile
You appear to have done both, which does not seem like an excellent idea.
I also use a random combination of words instead of just characters;
Yellow Mountain Bad Hernia 13
Call center employees will generally think it's my own connotations (if it's school they will think there is a yellow mountain nearby and maybe I had a hernia... words tend to have associations)
Then I confirmed and started reading it out to her, and she hung up on me. I think I should move to correct-horse-battery-staple style in the future.
The KeePass plugin Readable Passphrase Generator is great for generating Diceware passwords/usernames/security question & answers
Source: Found on KeePass plugins page
That's... troubling. I would have called back specifically to complain about that person. That's absurd.
Earlier this year, I opened a new account with the (new) bank and discovered that they already had my mother's maiden name, were going to use it for identity verification, and wouldn't allow me to change it to something arbitrary (even another fake name that I sometimes use). Quite frustrating, this security based on insecure information.
I know this is often asked over the phone, so that'll be a little awkward, especially if using non alphanumeric characters. Interestingly though, I wonder how easy is it to reset your mother's maiden name to a new name if it go out in the wild.
For them, maybe, but I would relish reading each individual character to them in a slow deadpan monotone.
This effectively allows using the security question as something that can be more reliably recalled by the user, but largely avoids the security issues of an easy to guess secret.