Not the direct point of the article, but as an aside, it really concerns me how easy it is to find a mother's maiden name these days, considering how often it's used as at least a partial proof of identity.
Being able to identify someone over the phone or internet is an incredibly hard problem that I think more startups should be working on. It is a constant battle between security and customer convenience. It is very frustrating being locked out of your own account because a company can't identify you correctly. If you combine that with the fact that companies are rarely held accountable for these security violations and it isn't a surprise that they optimize for customer convenience.
The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?" or "Which one of these four employers have you never worked for?", but even those are gameable with some research. There has to be some better solution out there.
> The best systems I have seen are the ones that use your credit history to ask you several questions like "Which one these four streets have you lived on?"...
At least with simple "mother's maiden name" type questions, you could, if you were concerned by its insecurity, choose to use a secret value. With the automation of the process, that is not an option, while the security value of this pseudo-secret information will be eroded by its inevitable over-use.
You do make a good point, but the made up answer option is basically just opting out of the system for both good and bad. In my experience, the mother's maiden name thing is rarely the primary identifier. It is usually used if the primary identifier like a password or passcode isn't known. So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password? The only situation I can imagine that happening is if the person reuses their fake name which defeats the whole point of doing this for the added security. The end result is that the secondary identification system has almost no value.
> So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password?
That is, indeed, the problem that these questions are supposed to avoid, but they only offer sort-of security to the extent that the information is sort-of confidential. Anything that the automated validation service can find from public sources can also be found by the black hats, and the more common these automated services become, the more worthwhile it will be for the black hats to similarly automate their search for them.
The end result is that real security that is based on something you know has to depend on secrets.
> So the question becomes in what instances would a person have a record/memory of the fake name but no record/memory of their password?
I have both recorded in password vault and both are random.
The benefit is it they've reset my password for some reason or it was hijacked. I've been able to recover accounts. Not because I forgot a password but because it was essentially a harder to change 2nd "secret"
For me (and I know others), the rule is to never give the correct answer to any of those questions (what was name of first pet? what elementary school?). That's how Sarah Palin was doxxed
> The best systems I have seen are the ones that use your credit history to ask you several questions
Given how bad the credit companies are at distinguishing me and my father (we share a name), I don't have much faith in this process either. What if you don't have a credit history?
Realistically most businesses don't have a need to pin an identity to a real-world person.
Those can be wrong though. I've been locked out of accounts because they said I incorrectly answered questions about myself (as if they know better than me) and it took weeks and multiple hand-written letters and a physical trip to an office to get it fixed.
The assumption that you have, that the system "just works" is awful. Because when it turns out the system actually doesn't work, it's a fucking clusterfuck just to get someone to listen to you because they don't believe you are who you say you are, and government issued ID is apparently insufficient.
And the government seems to think I am the same person as my deceased father and grandfather because we share a name, and holy fuck is it frustrating come tax season (I have never in my life had my taxes accepted the first try and have had to physically visit the IRS before) or any time anybody tries to do any sort of background check on me.
The credit history questions are a mixed bag. I've gotten questions like "Which make of car have you owned?" with choices of Toyota, Rolls Royce, Duesenberg, and Checker. It's not a hard guess.
Except when say 18 years ago, you stayed with a handful of friends that year because the bottom dropped out of development jobs and you can't recall every address you might have used.
Wouldn't a Google Auth type TOTP be ideal for over the phone? Is there anyone doing this?
It could be the same one I use for 2FA to the website. Or, an entirely offline flow would work too where they sent a dead-tree mail with the shared secret in QR code format.
I think that's one of the best solutions, but it would add a ton of customer service overhead for lost devices (if physical OTP generators are used), clock sync issues, device-specific quirks... And if we want to have a universal system for this rather than each service provider having their own one-off solution, someone would need to foot the bill.
Swedish banks already do this. They first implemnted their own systems with custom hardware (and before that banks mailed a physical scratch pad with codes) but then later together developed a mobile app (called Mobile BankID) which can be used for authentication.
So clearly it can be done. Swedish banks have been doing it for at least 20 years.
These systems usually have blink detection, so you would at least have to scan the photo, convert to video, and blank out the eyes temporarily (blink detection tends to be quite crude).
Other systems require you to record a video of you saying a particular sentence which is then checked (presumably) by a human. And others require a video call to a real person.
I got pretty spooked when I opened my credit karma account and it asked me to verify if I had opened a store card a couple years ago, if I took out a loan, and a couple other questions about me.
None of them were true, because when I was first opening my credit karma account was when I first got a credit card; up to that point I had no credit history at all. When it asked me these questions, and I believe it implied one of the questions was true, I assumed my identity was stolen and got a report from transunion and equifax.
Turns out my identity was never stolen and credit karma was just being obtuse.
Not OP, but I found it by going to your HN profile, seeing your email listed there, searching that username, finding a GitHub profile with the same username, then using your first and last name plus your location (listed in your GitHub profile) to look you up. Your profile photo on GitHub gave me your approximate age (middle age, clearly not a teenager or a senior).
Searching your name and city+state in Google shows several websites that collect public records and show relatives. Some include age with names. The only people that showed up as relatives that were plausibly your parents (based on age) were two people: one with your same last name (probably your father), and one with a different name (Klass) (most likely your mother).
Thanks. I knew it was easy to get to my name from my HN provided info. I wasn’t sure how easy it was to get from there to my parents.
Having a pretty rare last name makes it really hard to stay anonymous, especially when you engage in public activities like entering road races, buying a home, and voting. Guess it’s a bit late to start using a pseudonym.
Edit: mylife is insane. I’ve googled myself in the past and this much information didn’t used to be so readily available in search results.
I don’t know how a right to disappear would even work when a bunch of the results are curated straight from public records.
Edit 2: I think if I cared more about this I’d have to engage in a prolonged disinformation campaign to muddy the search.
"Guess it’s a bit late to start using a pseudonym"
Actually, no. It only takes 2-3 years to disappear from most casual google searches. I know people always say 'the internet is forever' and for some things it might be, but I was suprised how much of my online traces just faded over time after I started being more careful with my identity.
I had a bit worse experience. I was a bit careless with posting personal info under a quite specific username I reused on multiple websites, it took me nearly 10 years and changing that username (you might also note that my usernames are more or less random) to finally not be able to google myself (which I consider to be the real test of anonymity). Various forums finally dying in 2010s were a great help.
I'm of two minds as to whether it's better to be wholly unique like my First Name/Last Name pairing is or to have a name like John Smith.
The worst is doubtless to share an uncommon but not unique name with someone who could plausibly be you who is controversial/a criminal/etc. Pre-Web I went to school with someone who shared a name with a very unpopular figure in the same city. My schoolmate got literal death threats left on his answering machine.
I ran across this a few years ago. I made the mistake of registering a .us domain with my home address. Found out the stupidity of that when my wife's ex, who has been out of her life for over 10 years at that point, sent us a wedding gift. We both have fairly unique names - there's only 1 of each of us with the same first/last name in the US. Makes me pretty paranoid about tying stuff to my real name now.
It's also funny how you're supposed to submit such (ostensibly) personally identifying information to a website for them to know.
So it literally only works for this purpose the first time you do it, now it's not private anymore (even if it was to begin with). Now it's on file just waiting to be leaked.
For example, how many of us are suckers who have submitted scans of our passport and drivers license to a website like coinbase.com?
It's only a matter of time until https://haveibeenpwned.com/ lets you type in your DL/passport number and it'll tell you how many scans it found in data dumps.
Just don't answer those questions "truthfully. What I mean is I use 1password to store my credentials. So whenever a site asks me to provide 3 security questions and answer I will usually select 3 random questions (especially ones that don't apply to me like "where did you meet your wife", well i'm not married), then provide an answer like "dog bow rainbow toss three". Even if one place is breached and hackers find my "mothers maiden name", it's about as useful as a one time access token.
Someone doing social engineering may answer "It was a bunch of random characters/words, I'm sorry I don't have it in front of me" and have that accepted. If they don't accept it, hang up and try again with another rep until someone does.
Picking a random real place off Wikipedia (different for each website, and store that in 1password) avoids this.
It's a question of effort, really. The bad guys get infinite tries; support only needs one person to fuck up once.
My hope would be their training largely prevents "oops I can't remember" getting through, but I suspect you'd eventually get someone quitting tomorrow who doesn't care, or someone having an off day.
Mother's maiden name is documented to have been in use for authentication at least as far back as 1882, and even then it was known to be a weakness [1, §3].
[1] Stephen M. Bellovin. 'Frank Miller: Inventor of the One-Time Pad'. Cryptologia 35(3), pp. 203–222, 2011. DOI: 10.1080/01611194.2011.583711
You should be giving gibberish answers to those anyway. They're probably stored as plaintext, but on the off chance they're not, treat them as a backup password and don't answer the question honestly.
For anything that involves human interaction for the verification, this doesn't really work.
I generate random strings for these and store them in my password manager. On several occasions I've called companies for whatever reason and they've asked these questions to verify my identity. When I say "oh it's a random string let me open my password manager to confirm it" they often reply with "oh it's ok, you're right it's gibberish" and consider me verified.
You can generate a pronouceable password based on dictionary words for such cases and get something that you can say over the phone like `leaf-auto-drunk-horse-zebra`. This is supported by any modern password manager.
Had the same experience with blizzard support a while ago. Now I follow the above poster's advice and use it as a secondary password, but make it pronounceable at least.
Would an attacker know that you're the kind of person to type in gibberish?
Also, you don't need to type gibberish. If your mothers maiden name is Jones, you can enter her maiden name as Steenberger and store that in your password manager.
An attacker wouldn't have to know you are the kind of person who puts gibberish... "oh, shoot... sometimes I make up a fake name but sometimes I put gibberish... I can't remember which I used here"
I have thought for a while that the old 'what is your porn name?' joke of combining first pet's name and mother's maiden name was probably originally invented by con artists looking to gather info.
I don't think it was invented by them, but I'm sure it's been used extensively by them since then. I think it was just someone that thought it was funny.
Given the use of pets names and maiden names as common authentication tokens for money, that it is a kind of weird joke to start with and that it doesn't really have a punchline and can easily fall flat, it stinks of grifter patter.
Though it isn't as bad as; 'You can't cheat an honest man'. You hear someone saying that, you start counting your fingers before you shake hands and check them again as soon as your done.
This has always been a funny "secret" to me since I have a hyphenated last name – gee, my last name is "Dolan-Gavitt", I'll give you two guesses what my mother's maiden name is.
I would have no idea what your mother's maiden name is? With only your post as a reference point, I would assume that you're a woman married to a man, and then assume Dolan is your paternal last name, and Gavitt is your married last name.
Encountering men with hyphenated last names is uncommon enough (for me) that I don't know the rules for that, so if that's the case, I don't know either.
It's semi-common (or was, in the 80s) for couples who didn't want to change either of their names to instead give their kids a hyphenated name with both the mother's and the father's name. So my mother's maiden name is... Dolan.
But looking up myself (and my brother) I noticed that the record date is a month or two past the actual month. So for me being born in March seeing myself listed as June and in my Brothers case seeing September listed as December. Well, makes me wonder if they had backlogs back then. But most happy it is that way, I know my actual birth certificate has the correct date (still have the original) and those are accessible in some form or another. Just mindful that not all records are that accurate.
In Sweden we have ”Mobilt bankid” which is a digital identification that you download from your bank and then assign a password to it. After this has been completed you can identify yourself through an official app. Most serious organizations asks you to identify yourself through this app when handling business over the phone.
BankId is a 2FA mechanism that proves that you are who you say you are. Before you can download the mobile app (Mobilt BankId) and assign a password, the bank must issue you a card with a certificate on it (BankID på kort[0,1]).
You use this card to then validate the Mobilt BankId, since it creates a chain-of-custody for identity, as it were.
In other words, someone with your personnummer on-hand can't just download Mobilt BankId and then assign their own password because they're lacking the physical evidence [read: the BankId på kort], which prevents them from falsely representing that they are you.
How Mobilt BankId works with BankId is that it houses a certificate (much the same as BankId på Kort) and leverages the same auth prompting mechanisms for challenge/response to authenticate the user. Essentially, it "replaces" the kort but only in the sense that the kort is required to be physically present in the system. With the Mobilt BankId app, the certificate is always present.
Sorry for the long-winded explanation but it isn't as simple as downloading the app and assigning a password and don't want people to get the wrong idea. :(
I am guessing that most standard and reliable (i.e. you know the answer and it's not going to change) questions are vulnerable to discovery by a halfway determined attacker. That said, there are probably questions/answers that historically would have required at least some degree of serious investigation to uncover that are now often trivially discoverable.
DNA would actually be a great way of doing identity. As long as you're alive, your DNA can be checked. And it's not really feasible for someone else to fake.
You also don't lose it or forget it, like you would password or 2FA device.
You also can't change it, though, if someone gets a hold of it. Someone with a bit of your blood could impersonate you forever, and you wouldn't be able to stop them.
Perhaps. My anecdotal experience does not show a high ratio of women on facebook who are also friends with their mothers. I have also noticed older seem to list their maiden name less frequently.
However, I do agree that in general several "security questions" that are meant to be hard-to-guess data points are actually easy to find the answer to frequently. Maiden names, and school names/cities/mascots, are often found in online profiles in one way or another.
At the same time, I'm not sure the risk is as large as it seems. These security questions help prevent bulk identity theft and add a friction point to the process, they are certainly not equal alternatives to real 2FA, but they are also less "brute forceable".