Why are security questions so dumb?

Right near the end of a long recent afternoon in a drab cubicle in a local branch of one the largest banking systems in the world, I entered another dimension. My spouse and I had been endlessly signing forms and proffering photo identifications to open a new account we’d needed. The woman on the other side of the desk had been briskly typing phone numbers and addresses. Then she said she just needed to ask a few security questions. What was the name of the street I grew up on? What was my mother’s maiden name? I suddenly got the uneasy feeling I’d been transported into a retro-tinged Florence Pugh movie. Who grows up on one street any more? Whose mother was a maiden? Had I — a woman who shared children with the man sitting next to her but did not share his name — ever been one?

---

Want more health and science stories in your inbox? Subscribe to Salon’s weekly newsletter The Vulgar Scientist.

---

“Maiden” exists right up there with the somehow still-popular “co-ed” and “love child” in the pantheon of phrases nobody should be using any more. It’s the 21st century and lots of women go to college; unmarried people have babies, and not everyone has a straight, cisgender mother who absorbed a husband’s nomenclature when her father handed her off to him along with her bride price.

These are not novel developments. As Kate Tuttle wrote for Salon back in 2015, the concept of maiden names “reminds us of one thing: that marriage as an institution once demanded a virgin bride who was handed from her father’s house to her husband’s, and that the name she had worn since birth was discarded along with her virginity upon the occasion of her wedding day.”

Roughly 20 to 30% of women in the United States retain their birth names when they marry. That’s millions of women, many of whom are or will be someone’s mother. One third of American children are currently living with a single parent. Between 2 and 3.7 million American children under 18 are being raised by at least one LGBTQ parent. Even among those of us who do or did have mothers who with traditional maiden and married names, not everybody wants a reminder of their parents or grandparents when they’re just trying to fill out some forms. “Maiden name” is increasingly obsolete concept.

Other standard security questions seem nearly as outdated and strange. How does someone who moved several times in childhood — as both my spouse and I did — pick a street they grew up on? How does someone who’s never owned a car name the “model of first car”? How would someone homeschooled name an elementary or high school? Or how would a person of any number of financial, religious or cultural backgrounds provide an assumed “first concert”?

It’s true that some bank’s extremely random and possibly nineties-era security system isn’t going to be first place one turns for a nuanced grasp of modern identity and family dynamics. But what makes it all the more unnerving is that these breezy and, for many, unanswerable, security questions aren’t even truly secure.

In 2008, a man named David Kernell waltzed right in to then vice presidential candidate Sarah Palin’s Yahoo email account by using the system’s password recovery system and answering a few easily searchable security questions, like her date of birth and where she met her spouse. Soon after, he posted on 4chan that “It took seriously 45 mins on wikipedia and google to find the info.” [sic] These are the same questions your bank or social network may likely still be asking you today, all these years later.

Maybe if you’re not the governor of Alaska, you may think your personal information is not as accessible or tantalizing to others. But do a little creative Googling on yourself sometime and see just how scary easy it is to find your schools, prior addresses and probably even your first concert and the name of your first pet. Then consider that your money, your credit information, anything you can imagine about yourself, may all be tucked away behind — and this is an actual security question — your oldest sibling’s middle name. (Firstborns and onlies need not reply, I guess.)

In 2016, Yahoo admitted to an earlier hack that had compromised the personal information of approximately 500 million users. As the Guardian reported, “Yahoo did not encrypt all the security questions it stored, and so some are readable in plaintext. While it may be irritating to have to change a stolen password, it is somewhat worse to have to change a stolen mother’s maiden name.”

If it’s that simple for a stranger to figure out how to crack your security, imagine how much simpler it could be for someone who knows you. An eye opening 2015 white paper out of Stanford called “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” revealed that “Users’ answers may be easily available to partners, friends, or even acquaintances.” A cited study showed that even acquaintances “could guess 17% of [security] answers correctly in five tries or fewer,” and that “Using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question ‘favorite food.'” The white paper concluded, unsurprisingly, that “Secret questions generally offer a security level that is far lower than user-chosen passwords.”

Knowing how easily exploited these security questions are, why then are some of the biggest businesses in the world still asking them? Part of it is that these answers are supposed to be easy for you to remember. When you’ve bombed out on your password for the tenth guess, dear old mom or a beloved pet still ought to be easily summoned from the memory vault.

But Ric Hawkins, a former financial advisor who currently writes on AI software, SEO, content marketing and investing, explains that these questions aren’t just intentionally simple for our benefit. “For one thing, they are relatively cheap and easy to implement,” he says. “They do not require any specialized hardware or software, and business owners do not need to worry about training their employees on how to use them. In many cases, it comes down to a lack of creativity. With so many accounts to keep track of, it’s easy for businesses to default to the same few questions over and over again. As a result, hackers can easily find the answers to these questions by doing a little digging.”

So what are we supposed to do when presented with these ridiculous options? Lie. Steve Weisman, a security expert and author of “Identity Theft Alert: 10 Rules You Must Follow to Protect Yourself from America’s #1 Crime,” says, “There is no reason that you need to answer a security question honestly. Therefore the answer to the question as to your mother’s maiden name can be ‘firetruck.’ It is so silly that you will remember it and no hacker will ever guess it.”

One can and should circumvent these security questions by inventing (and remembering!) alternative ones. But it also would be neat if we all moved along into the 21st century. It should not just be on me as a consumer to come up with more untraceable answers. It should be up to banks and businesses to start inventing better security systems.

Slowly, that is starting to happen. More secure options like two-factor authentication are becoming more the norm. And when it comes to the mother’s maiden name question, “I honestly don’t see it used much these days,” says Chris Fletcher, Senior VP of National Accounts at Crest Capital, “except for credit card companies, and I suspect they will be phasing it out if they have not already.” Fletcher notes, “It’s become irrelevant today. It’s from a bygone era when we assumed ‘everyone’ was from a stereotypical nuclear family, even if they really weren’t. All of these security questions have some stereotypical assumption. First car, first pet, first concert… they all ‘assume’ a middle class life with concerts, pets, and cars.” And that, he says, “is a problem.”

I have the same last name I was born with — the name of the man my mother was married to for three whole months of her pregnancy with me. It’s not my maiden name; it’s just my name. It’s also the third most common last name in America, so if you want to take a crack at anybody’s mother’s maiden name, mine is a pretty good guess. Perhaps that’s why my daughters find those questions about their “mother’s maiden name” so strange. When I sat next to my 18 year-old in August as she opened up a new bank account, she briefly shot me a puzzled look when the query was posed. Then she wisely gave her grandmother’s instead.