There's a lot of verification steps that are bunk.
Full name? Home address? Available from the electoral roll in Australia. Phone number? Look it up. Date of birth? Check with the Registrar of Births, Deaths and Marriages. Mother's maiden name? Ditto.
Too many of these verification questions rely on shared secrets that ... aren't secrets.
...and it's getting worse with all the extra 'security questions' random sites now ask. Why do I have to drop all these obscure-but-not-really-secret details into all these databases? Are they all guarding them as well as a salted-hased password? Do I now have to give them all unique fake answers lest it become another path-of-least-resistance for compromise?
They really are horrible. When I'm given a small list of questions to choose from, they generally fall into three buckets:
- Completely non-applicable (I'm not married and don't have any kids or pets)
- Transitory and inane (I don't really have a favorite meal or movie, and if I did, who is to say it will be the same forever?)
- Rely on information that is relatively easily to figure out (birthplace, high school mascot, mother's maiden name, etc)
Security questions alone should never be sufficient to reset a password or gain access to an account, and I'm not really sure they add a whole lot in other contexts either.
I find them horrible as well. That's why when I'm given the opportunity to write my own questions I always do so. Then in this security theater I hopefully am a little bit safer than most people that just pick a question from a list.
On a side note, one of these days I've got really scared when a reputable credit card company asked me for one of these security questions. WTF?!
My bank does something that at first I thought was weird but I get a bit more, they ask me to confirm a specific purchase on a specific date. Or to who a payment of X amount was.
At first I thought it was completely pointless, someone gets my bank statement then I'm done, but they only ask about the purchases since my last statement. Not saying that Apple should be asking 'what app did you buy on the 1st August?', but a small confirmation outside of the data you provide would probably be useful.
Full name? Home address? Available from the electoral roll in Australia. Phone number? Look it up. Date of birth? Check with the Registrar of Births, Deaths and Marriages. Mother's maiden name? Ditto.
Too many of these verification questions rely on shared secrets that ... aren't secrets.