Monday, September 10, 2012

Using Mined Data for Security Questions

You're familiar with the drill. When you create an online account for just about any service you end up creating several security questions to which hopefully only you know the answer. This adds a layer of security to the standard user name and password employed for logging on. Then hopefully you remember the answers you selected the next time you have to answer one or more of those questions.

This is just one of the methods used for enhancing online security. Some sites use an image and/or an unusual phrase to verify that you are on the service's authentic website and not some phishing scam site. Many sites require you to enter obfuscated phrases that are difficult for computers to read to verify that you are a human and not some robo-entry program.

No security paradigm is foolproof. Every layer of security adds a layer of inconvenience. Service providers constantly walk a narrow line between making you secure and making you frustrated. Security experts know that users frequently choose convenience over security. The higher the level of potential frustration, the higher the chance that the user will compromise his own security.

Take the ubiquitous password, for example. The most common passwords in the world include 1234, 12345, and password, all of which are easily guessed by humans and computers alike. Frankly, people are frustrated by the number of varied passwords they must remember. Different sites have different password requirements and even experts disagree on what makes for a secure password. Password vaults are often cumbersome enough to render them as inconvenient as remembering multiple passwords.

Some service providers are now using data mining to provide more security. When my wife recently accessed an online account she was presented with a series of questions she didn't choose. For example, she was asked to select from from a list a street name with which she had been associated. None seemed familiar until she dug through old files and discovered an address at which we had briefly lived years ago when we first married. A couple of other questions were obscure enough to require research as well.

The other day I was helping my mother-in-law with her bank account. We reached a point where she had to call customer service. The service rep asked her a fairly long series of questions. I heard my mom-in-law answer, "None of the above" to several. After completing the list, the service rep informed Mom that she had answered too many questions incorrectly and that they could only help her if she appeared at a branch in person to verify her identity.

On the one hand, I was pleased that the bank was serious about verifying Mom's identity before discussing account details. When the attempt failed, they implemented procedures designed to protect Mom's account.

On the other hand, I was immediately unimpressed with the data mining security question process. If this method produces questions of such a recondite nature that the answers are not immediately discerned by the people that experienced the activities that gave rise to the data, how effective is it really?

And how secure is it really? The data used for the questions that both my wife and my mom-in-law faced came from publicly available records. How long will it take before the bad guys figure out which questions are likely to be asked? How hard will it be for them to derive the answers from a few Google searches? They might actually be better at answering these questions than the real account holders.

We all want our personal data to be secure online. But I think this new data mining security question method can safely be scored as a customer relationship and security failure. It is cumbersome enough to drive customers away, especially when it prevents them from legitimately using the services it is designed to protect. And, as mentioned above, it is likely only a matter of time until the bad guys overcome the protective wall that frustrates regular customers anyway.

No comments: