HOME

TheInfoList



Click Here for Items Related To - security question
OR:
security question on:   [Wikipedia]   [Google]   [Amazon]

A security question is a form of
shared secret In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a PIN code, a password, a passphrase, a b ...
used as an authenticator. It is commonly used by
bank A bank is a financial institution that accepts Deposit account, deposits from the public and creates a demand deposit while simultaneously making loans. Lending activities can be directly performed by the bank or indirectly through capital m ...
s, cable companies and wireless providers as an extra
security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...
layer.


History

Financial institution A financial institution, sometimes called a banking institution, is a business entity that provides service as an intermediary for different types of financial monetary transactions. Broadly speaking, there are three major types of financial ins ...
s have used questions to authenticate customers since at least the early 20th century. In a 1906 speech at a meeting of a section of the American Bankers Association,
Baltimore Baltimore is the most populous city in the U.S. state of Maryland. With a population of 585,708 at the 2020 census and estimated at 568,271 in 2024, it is the 30th-most populous U.S. city. The Baltimore metropolitan area is the 20th-large ...
banker William M. Hayden described his institution's use of security questions as a supplement to customer
signature A signature (; from , "to sign") is a depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and intent. Signatures are often, but not always, Handwriting, handwritt ...
records. He described the signature cards used in opening new accounts, which had spaces for the customer's birthplace, "residence," mother's maiden name, occupation and age. Hayden noted that some of these items were often left blank and that the "residence" information was used primarily to contact the customer, but the mother's maiden name was useful as a "strong test of identity." Although he observed that it was rare for someone outside the customer's family to try to withdraw money from a customer account, he said that the mother's maiden name was useful in verification because it was rarely known outside the family and that even the people opening accounts were "often unprepared for this question."William M. Hayden (1906)
Systems in Savings Banks
''The Banking Law Journal'', volume 23, page 909. Similarly, under modern practice, a credit card provider could request a customer's
mother A mother is the female parent of a child. A woman may be considered a mother by virtue of having given birth, by raising a child who may or may not be her biological offspring, or by supplying her ovum for fertilisation in the case of ges ...
's maiden name before issuing a replacement for a lost card. In the 2000s, security questions came into widespread use on the
Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...
. As a form of self-service password reset, security questions have reduced
information technology Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data processing, data and information processing, and storage. Inf ...
help desk A help desk is a department or person that provides assistance and information, usually for electronic or computer problems. In the mid-1990s, research by Iain Middleton of Robert Gordon University studied the value of an organization's help des ...
costs. By allowing the use of security questions
online In computer technology and telecommunications, online indicates a state of connectivity, and offline indicates a disconnected state. In modern terminology, this usually refers to an Internet connection, but (especially when expressed as "on lin ...
, they are rendered vulnerable to keystroke logging and brute-force guessing attacks, as well as
phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...
. In addition, whereas a human customer service representative may be able to cope with inexact security answers appropriately, computers are less adept. As such, users must remember the exact spelling and sometimes even
case Case or CASE may refer to: Instances * Instantiation (disambiguation), a realization of a concept, theme, or design * Special case, an instance that differs in a certain way from others of the type Containers * Case (goods), a package of relate ...
of the answers they provide, which poses the threat that more answers will be written down, exposing them to physical theft.


Application

Due to the commonplace nature of social-media, many of the older traditional security questions are no longer useful or secure. A security question is just another form of a password mechanism. Therefore, a security question should not be shared with anyone else, or include any information readily available on social media websites, while remaining simple, memorable, difficult to guess, and constant over time. Understanding that not every question will work for everyone, RSA (a U.S. network security provider, a division of EMC Corporation) gives banks 150 questions to choose from. Many have questioned the usefulness of security questions. Elie Bursztein
New Research: Some Tough Questions for ‘Security Questions’
''24th International World Wide Web Conference'' (WWW 2015), Florence, Italy, May 18 - 22, 2015; ''Google Online Security Blog'', 21 May 2015 (retrieved 21 May 2015) Security specialist
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman ...
points out that since they are public facts about a person, they are easier to guess for hackers than passwords. Users that know this create fake answers to the questions, then forget the answers, thus defeating the purpose and creating an inconvenience not worth the investment.


See also

* Cognitive password * Knowledge-based authentication * Password fatigue


References

{{reflist Authentication methods Banking technology Computer access control