How not to do online security

I’ve been having trouble with the online access to one of my bank accounts. Due to a combination of disorganisation and poor memory (it’s not one of my commonly used accounts), I’ve had to reset the password several times. It’s always a frustrating experience, but on the most recent occasion they hit me with something entirely new: they wanted me to “change your mother’s maiden name”.

My response was probably more sarcastic than it really deserved, especially given that it turned out not to be quite as silly as it sounded: I merely had to change the answer I gave to the question “What is your mother’s maiden name?” It didn’t matter what my answer was so long as I could remember it and produce it on demand.

This situation wrong on several levels. First of all, it’s pretty terrible from a usability perspective. Remembering that I should reply “sausages” when asked for my mother’s maiden name is not particularly hard (at least if only one of my bank accounts suffers from this peculiarity, and I log in often enough that I remember this), but it’s an ugly wart on the user experience and leaves the impression of a bank that is pretty half-arsed.

At a deeper level, this is wrong because it’s symptomatic of poor application architecture. At some point during the software development, somebody must have looked at a database diagram like this:

Somebody else must have known that, under certain circumstances, the security question would have to be changed. Unfortunately, these two people weren’t the same person, and don’t appear to have talked to each other. The architecture clearly doesn’t support the ability to change the security question. Sure, this kind of bug happens all the time—except that security, more than anything else, deserves the kind of architectural attention that’s obviously missing here.

But there’s an even more fundamental reason why this situation is wrong. The bank appears to be confused about the very purpose of using the mother’s maiden name (or any other personal information) as a credential.

Time was when finding out someone’s mother’s maiden name was seriously difficult, unless you happened to know it. Marriage certificates are public record, but (and I’m guessing here) they aren’t indexed in the right way to make it a tractable problem to look up the maiden name from the married name. In the days of paper files, it didn’t matter if something was O(n) provided that n was large.

Nowadays, it no longer works this way. The population of married people is large by human standards, but small enough to be searched in seconds by a computer, even if the search method is inefficient. I don’t know how marriage records are exposed, but it’s reasonable to suppose that a sufficiently motivated attacker can get the data set. Even if not, plenty of people have enough information on their Facebook or LinkedIn profile to infer a mother’s maiden name.

Personal information still has a role to play in security, but not in the same way. People tend to think of password cracking as trying lots of attempts to guess one person’s password, but an alternative is to take one obvious password and try it against a number of people. Money is money, and you don’t care much whose account you rob. For a given common password, a large enough bank is almost certain to have somebody who uses that password.

Against this kind of attack, the trusty old mother’s maiden name comes in handy. If it only takes 2 minutes of snooping on Facebook to find the information you need, then this doesn’t stop you attacking one particular person’s account. But if you want to try ten thousand accounts to find the one whose password is “5au5age5”, then you’re out of luck.

A crucial point here is that this kind of security benefits only marginally by changing the secret answer. By hypothesis, the secret answer is pretty easy to get hold of anyway. The great strength of personal information is that you don’t forget it; if this wasn’t an important part of the design then everyone could just make their password twice as long and get exponentially greater security. But passwords are already pretty much at the limit of what human beings can cope with, and personal information is a low-cost way to extend security against an important class of attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *