Liz Weston, NerdWallet
Your mother’s maiden name is probably not a secret. Neither, necessarily, is your high school mascot or the size of your car payment. But some banks and brokerages still pretend this is information only you would know, and that could be putting your money at risk.
So-called security questions long ago outlived their usefulness, since they can be hard for the right people to remember and easy for the wrong people to guess or steal.
“Relying on questions and answers is absolutely brain-dead, but a lot of banks do it because they’re not equipped to implement anything else and regulators aren’t mandating alternatives,” says security expert Avivah Litan, vice president and analyst at Gartner Inc.
Financial institutions disagree, saying “knowledge-based authentication” — especially questions based on less readily available information, such as data in your credit report — can be an effective way to identify customers.
“No security measure is perfect, but knowledge-based authentication is certainly more granular and more effective than shared secrets, such as your mother’s maiden name,” says Doug Johnson, senior vice president for payments and cyber security at the American Bankers Association.
Yet repeated database breaches mean that tons of once-private information is now in criminal hands. Security questions and answers were among the data stolen from 1 billion Yahoo accounts in 2013, for example, and criminals answered questions drawn in part from credit report data to access more than 700,000 taxpayers’ transcripts at the IRS.
You don’t have to be a hacker or even very persistent to find the answers to some security questions. Many people post information such as birth dates and pets’ names on Facebook. They may link to family members, including their mothers. (If you can’t find a maiden name that way, try genealogy sites such as Ancestry.com.) Data brokers legally hawk addresses, phone numbers, birth dates and property records, among other information, for as little as $1 per person.
Some financial institutions that use security questions say they’re only one facet of a multilayered approach. Discount broker Charles Schwab, for example, says it uses additional “tools, controls and technologies” — kept secret to foil attackers — to verify identity. Schwab also offers customers the option to add a verbal password and activate voice-recognition technology for added security in telephone transactions, says Sarah Bulgatz, director of corporate public relations for Schwab.
Financial institutions may take extra measures to determine identity when they spot unusual transactions or attempts to log in from unfamiliar devices or networks, Johnson says.
Still, it’s hard to know as a customer what’s being done behind the scenes to protect you. And while federal regulations typically require financial institutions to restore money lost due to fraud, some banks, including Chase, say customers will be on the hook if they share their credentials with third-party sites such as Mint. Even if stolen money is eventually restored, customers could be without funds for days or weeks while their cases are investigated.
TOUGHEN UP YOUR DATA
Given this landscape, we need to take extra steps to protect our money. There’s no way to make your accounts hacker-proof, since criminals have found ways around everything from facial recognition software to fingerprint authentication. Your goal should be to make your accounts tougher to compromise so the bad guys move on to easier targets. Here’s how to do that:
• Use unique, strong passwords. Password managers such as 1Password and LastPass can help create and track this information as well as answers to security questions. Your router at home should be password-protected as well.
• Stick to your home network. Criminals can snatch your login credentials when you use public Wi-Fi for financial transactions. Plus, your institution may pay more attention to bad guys’ login attempts if you have a consistent pattern of using only your home network.
• Turn on two-factor authentication. Many banks and brokerages offer this option, which typically requires you to input a code texted to your cell phone or created by a smartphone app. (Here are institutions that offer two-factor authentication.
• Ask what else companies are doing to protect you. Financial institutions post security policies on their websites, but ask specifically how your bank or brokerage handles sensitive transactions, such as attempts to change your phone number (to thwart two-factor authentication, for example).
What if you don’t like what you hear? Then it may be time to move your money to a financial institution that wants to help you keep it.