My bank has decided that I have to have some security challenge questions, and gave me a fixed set of questions to add answers to.
They had some simple instructions: “Keep them secret and don’t disclose them to anyone. Don’t write down or record them anywhere.” And added a little threat as icing on the cake: “If you don’t follow these instructions, you may be liable for any loss arising from an unauthorised transaction.”
If I actually attempt to give honest answers to the questions, any determined and reasonably intelligent hacker could find the answers to all the questions that I actually know the answer to, within a minute or two, online, tops.
So what if I opt to use 1-Password or another password management tool to generate secure and random “password” style answers to these questions? These would not be readily memorisable and so I’d have to save them in the tool. But according to their little threat, I can’t do that! That’s called recording the answers to the questions and I could be liable if an unauthorised transfer occurs.
The real problem with questions like this is that too much of this information is recorded online, already. It adds a layer of complexity to the security model, without actually improving security much, if at all.
Then another question arises. If an acquaintance does happen to ask me where I got married, am I now liable to ANZ if I tell them? It sounds ridiculous but lawyers be lawyers. Mind you, given that I have no way of not agreeing to the terms, perhaps it’s unenforceable. The whole thing is really badly thought out.
Update 9:46am: Blizzard and insecurity questions: My father’s middle name is vR2Ut1VNj is a really good read for more detail!