My U.S. bank recently made me change my password when I logged in. They even made me use “special characters” in the passwords, like # ” % &, to make sure it was secure. Annoying, but no big deal. I’ll put it with it. I understand why they’re trying to do this.
Next, though, they crossed the line from to annoying to downright hit-the-screen-in-frustration. They resorted to making me answer questions that I’ll need to answer if I forget my password. If they could have stuck to simple factual personal questions, like my mother’s maiden name, my date of birth, or my phone number, then no problem at all. But they didn’t:
The make of my first car might seem like a simple factual question. Mine was a Honda Civic. But what if next time I just type “Honda” or “honda civic”? You very quickly move to a place where you can’t answer your own validation questions.
The next set of questions are even worse — they ask questions that sound like they’re geared for a 5 year old. And I have to choose one of these!
I don’t have a favorite person, nor a childhood hero, nor a favorite athlete! And if I force myself to choose an answer, will I remember it next time? Will I remember how I spelled it?
These validation questions drive me mad. I just know I’ll mess up when trying to answer them in a month or two. They don’t validate my identity, they just validate that the web app stinks.
If banks can’t rely on the usual we’ll email-your-password-to-you-if-you-forget-it because it’s not secure enough, surely there has to be a better way.
Neither AIB nor Bank of Ireland have forgot-your-password feature. That seems a better route. I’d much rather just have to ring the bank then be forced to answer these ridiculous questions.
Good validation questions?
Any thoughts on what are better solutions for validation questions that are secure enough for banks? What’s wrong with just sticking to the basic facts, like DOB, PPS number, and home phone number?
June 22, 2007 at 12:14 pm
Brian,
I suppose identity theft is a major concern for banks and perhaps a case of covering their ass.
Firstly, in terms of identity theft the answers to these silly questions would never appear on official documents like bank statements, tax return forms, bills etc. which identity thieves could get from rummaging through your garbage (US term included for your convenience). So there’s no written record of these answers. The basis of authentication is something you have or something you know, so the inane interrogation they put you through deals with the later.
If they have taken “reasonable” (or unreasonable to the downright irrational) measures to protect their system from phishing, fraud and identity theft then the liability and responsibility of security lies with the customer.
There a huge tension between the obvious security need and the customer experience, a problem I don’t think I’ve seen fully solved anywhere. Customers are likely to tolerate a poorer user experience if they are reassured that they are in a totally secure environment but there has to be a balance.
OpenID is one possibility, but it’s highly unlikely that Irish banks would take that on anytime in the next 10 years.
Just for kicks, I’d recommend Dick Hardt’s infamous “Identity 2.0″ speech .
June 22, 2007 at 10:10 pm
I had this problem too – except for one set of questions, every single question related to either the user’s child, spouse, or pet, and I have none of the above. What in the world was I supposed to do with that?
June 24, 2007 at 10:46 pm
@ Natalie – that’s even worse than the questions I went through!
@ Lar — thanks for the insights into the banking business. As often happens with these things, it’s often genuine behind-the-scenes issues that manifest themselves as comically stupid user-interface decisions. In light of what you said, I’d say banks should definitely go the route of AIB and BOI, don’t offer any forgot-your-password routes until they sort out a decent way to do it that’s secure and usable.
But with all the money that banks have, surely they can invest in a way to figure this out. Surely someone has already.
July 4, 2007 at 1:42 pm
O2.ie asked me for my “favourite place”. It’s a stupid question and I can’t remember the answer I gave. I haven’t logged in for a few months.
Good validation questions should be personal, unambiguous and ideally have one word answers.
Examples from my bank:
– What age was your father when you were born?
– What city were you born in?
July 12, 2007 at 11:08 am
The standard mother’s maiden name is good as:
1) Everyone knows it
2) It is not ambiguous
3) It does not appear on most official documents (except birth cert)
Rather than asking the user a meaningless question, why not let the user enter both a meaningful personal question and the answer
Niall
August 7, 2007 at 3:44 pm
I think the “mother’s maiden name” option is awful.
- it’s both offensive and useless to people whose mothers are unmarried.
- shock! Not every woman changes her name when she gets married (and to be honest, that assumption offends me!).
Even if her child has a different last name, or a combination last name, the point is that the mother’s surname would be a very public piece of information. So again, useless from a security perspective.
Really, the question is very antiquated.