One of the top identity security questions asked on financial sites is, “What is your mother’s maiden name?” You get asked pretty much every time you forget a password or try to log in from a new computer. Our mothers’ maiden names unlock a big part of our identity ― and yet every year around Mother’s Day, those of us with moms who use or display their maiden names on Facebook make it a little easier for the bad guys to crack our code.
Security experts have long complained that it makes little sense to encourage online users to change passwords every few months but let security questions remain static. In fact, many sites offer users a drop-down menu of the same five or six security questions: What city were you born in? What’s your favorite color? What’s the name of your first dog? And, of course, the ubiquitous what’s your mother’s maiden name?
Banks have used our mother’s maiden name as a way to verify our identities since as early as 1882, long before the dawn of the internet. In an op-ed in The New York Times last year, private investigator Anne Diebel pointed out that when the Federal Financial Institutions Examination Council recommended in 2005 that banks improve their security and authentication measures for online banking purposes, banks just moved the same old question to the internet. Other sites apparently figured that the banks knew what they were doing, she wrote, and followed suit.
Jim Fenton, an identity privacy and security consultant who runs the blog Insecurity Questions, was quoted in Wired saying he wished security questions would just go away. “If passwords are vulnerable, why are security questions somehow so special that they live on forever?” he asked. He noted that every data breach leaches out more personal information that can make guessing the answers to security questions easier. (Fenton did not respond to HuffPost’s requests for an interview by the time of publication.)
Even the federal government is ready to do away with security questions. The National Institute of Standards and Technology proposed guidelines last July that didn’t even mention them as a recommended verification tool. And Yahoo, victim of a large user data breach itself, now tells users: “It’s more secure to add an email address or phone number to verify and secure your account. If you’ve recently updated a mobile number or alternate email address, your security questions may have already been removed during the process.” It also suggests you use a two-step verification process for added security.
PNC Bank’s chief cyber security officer, Debbie Guild, says everyone should do an internet search on themselves. “You just may be surprised how many details of your life ― past and present ― are readily available to the public,” she told HuffPost. “Marry that information with even more personal tidbits of your daily movement or activities shared on social media channels, and you are practically handing the keys to your kingdom over to the bad guys.”
If you must use a security question, at least make it a smart one, she said. “Your mother’s maiden name? Seriously! Think of a better security question that may not be researched online.” Publicly available information may include birthdates, the name of your high school, and your hometown, so steer clear of using those things as well.
One popular suggestion from tech bloggers is that when asked for your mother’s maiden name, just make something up. In other words, lie ― but remember it.
It’s likely your mother’s maiden name is not a secret, and definitely probable someone could find it on sites other than Facebook. And certainly not every mom on Facebook uses or displays her maiden name. But if yours does, it sure can’t hurt to stop wrapping it up with a tidy bow and handing it over to cybercrooks stalking you online. In fact, if her name is displayed, you probably shouldn’t even identify your mom as your mom the way Facebook asks you to.
Hey, Mom always likes it better when we show some smarts, doesn’t she?