Why are the security questions so dumb?

Towards the end of a long recent afternoon in a drab booth at a local branch of one of the world’s largest banking systems, I entered another dimension. My wife and I kept signing forms and providing photo ID to open a new account we needed. The woman across the desk was quickly typing in phone numbers and addresses. Then she said she just needed to ask some security questions. What was the name of the street I grew up on? What was my mother’s maiden name? I suddenly had the unpleasant feeling of having been transported to a retro film by Florence Pugh. Who grows up more on a street? whose mother was a young lady? Had I – a woman who shared children with the man sitting next to her but didn’t share his name – ever been one?

Want more health and science stories in your inbox? Subscribe to Salon The Vulgar Scientist’s weekly newsletter.

“Maiden” exists right up there with the still-popular “co-ed” and “love child” in the pantheon of expressions no one should use anymore. It’s the 21st century and a lot of women are going to college; bachelors have babies, and not everyone has a straight, cisgender mother who absorbed a husband’s nomenclature when her father handed it to her with his dowry.

These are not new developments. As Kate Tuttle wrote for Salon in 2015, the concept of maiden names “reminds us of one thing: that marriage as an institution once required a virgin bride to move from her father’s house to her husband’s , and that the name she had borne from birth was discarded with her virginity on the occasion of her marriage.”

About 20-30% of women in the United States keep their birth name when they marry. These are millions of women, many of whom are or will be someone’s mother. A third of American children currently live with a single parent. Between 2 and 3.7 million American children under the age of 18 are raised by at least one LGBTQ parent. Even among those of us who have or have had mothers who go by traditional maiden and marriage names, not everyone wants a reminder from their parents or grandparents when they just try to fill out some forms. . “Maiden name” is an increasingly obsolete concept.

Other standard security questions seem almost as outdated and weird. How does someone who moved many times as a child – like my wife and I did – choose a street they grew up on? What does someone who has never owned a car call the “model of their first car”? What would a homeschooler name a primary or secondary school? Or how could someone from any number of financial, religious or cultural backgrounds provide a supposed “first gig”?

Admittedly, some banks’ extremely haphazard and possibly ’90s-era security system won’t be the first destination for a nuanced understanding of modern identity and family dynamics. But what makes it all the more annoying is that these easy and, for many, unanswered security questions aren’t even really secure.

In 2008, a man named David Kernell gained access to vice-presidential candidate Sarah Palin’s Yahoo email account by using the system’s password recovery system and answering a few easily searchable security questions, such as her date of birth and where she met her spouse. Shortly after, he posted on 4chan that “It took seriously 45 minutes on wikipedia and google to find the info.” [sic] These are the same questions your bank or social network is probably still asking you today, all these years later.

Maybe if you’re not the Governor of Alaska, you might think your personal information isn’t as accessible or appealing to others. But do a little creative research on yourself now and then and see how easy it is to find your schools, your previous addresses, and probably even your first gig and the name of your first pet. Then consider that your money, your credit information, everything you can imagine about yourself, can all be hidden behind – and it’s a real matter of security – your older brother’s middle name. (The first born and the only ones don’t need to answer, I guess.)

In 2016, Yahoo acknowledged an earlier hack that compromised the personal information of around 500 million users. As the Guardian reported, “Yahoo has not encrypted all of the security questions it has stored, and therefore some are plain-readable. While it can be irritating to have to change a stolen password, it’s a little worse to have to change a stolen mother’s young daughter. Name.”

If it’s that easy for a stranger to figure out how to crack your security, imagine how much easier it could be for someone who knows you. A revealing 2015 white paper from Stanford titled “Secrets, Lies, and Account Recovery: Lessons from Using Personal Knowledge Questions at Google” found that “Users’ answers can be easily accessed by partners, friends, or even knowledge”. A quoted study showed that even acquaintances “could guess 17% of [security] answers correctly in five attempts or less” and that “Using a single guess, an attacker would have a 19.7% success rate in guessing English-speaking users’ responses to the ‘favorite food’ question.” The white paper concluded , unsurprisingly, that “Secret questions generally offer a much lower level of security than user-chosen passwords.”

Knowing how easily exploitable these security questions are, why are some of the biggest companies in the world still asking them? This is partly because these responses are supposed to be easy for you to remember. When you’ve bombarded your password for the tenth attempt, a dear old mom or beloved pet should still be easily summoned from the memory vault.

But Ric Hawkins, a former financial advisor who currently writes about AI software, SEO, content marketing, and investing, says these questions aren’t just intentionally simple for our benefit. “On the one hand, they’re relatively cheap and easy to implement,” he says. “They don’t require any specialized hardware or software, and business owners don’t have to worry about training their employees to use them. In many cases, it comes down to a lack of creativity. With so many accounts to follow , it’s easy for companies to default to answering the same questions over and over again, so hackers can easily find the answers to those questions with a little digging.”

So what are we supposed to do about these ridiculous options? Lie. Steve Weisman, security expert and author of “Identity Theft Alert: 10 Rules You Must Follow to Protect Yourself from America’s #1 Crime,” says, “There’s no reason you should answer a security question honestly. Therefore, the answer to the question about your mother’s maiden name may be “fire truck”. It’s so silly you’ll remember it and no hacker will ever guess it.”

We can and must circumvent these security issues by inventing (and memorizing!) alternatives. But it would be just as good if we all moved forward into the 21st century. It shouldn’t just be up to me, as a consumer, to find more unobtainable answers. It should be up to banks and corporations to start inventing better security systems.

Gradually, it starts to happen. More secure options like two-factor authentication are increasingly becoming the norm. And regarding the issue of mother’s maiden name, “Honestly, I don’t see it used much these days,” says Chris Fletcher, senior vice president of national accounts at Crest Capital, “except for credit card companies, and I suspect they will phase it out if it hasn’t already.” Fletcher notes: “It has become moot today. It’s from a bygone era when we assumed “everyone” belonged to a stereotypical nuclear family, even though they really weren’t. All of these security questions have a stereotypical assumption. First car, first pet. , first gig…they all ‘assume’ a middle-class life with gigs, pets and cars.” And that, he says, “is a problem.”

I have the same last name I was born with – the name of the man my mother was married to for three whole months of her pregnancy with me. It’s not my maiden name; it’s just my name. It’s also the third most common surname in America, so if you want to try someone’s mother’s maiden name, mine is a pretty good guess. Maybe that’s why my daughters find these “mother’s maiden name” questions so odd. When I sat next to my 18-year-old daughter in August as she opened a new bank account, she briefly gave me a puzzled look when the question was asked. Then she wisely gave her grandmother’s instead.