From the CSO's desk: Banks should ask safer questions

Opinion by Brian Shorten, information security risk manager, Cancer Research UK

Like most people these days, I change credit cards often to take advantage of zero per cent interest rates.

Like most people these days, I change credit cards often to take advantage of zero per cent interest rates.

The process of activating the cards always involves a series of security questions to identify myself when I ring in to transfer funds to and from the card.

While the questions used by the different card suppliers vary, one question is common: mother's maiden name.

Am I alone in thinking that this is the most insecure security question possible? Surely a security question should be confidential and not easy to guess.

It is surprisingly easy to find out the maiden name of someone else's mother. In the UK, it is printed on birth certificates.

Some Latin countries use the mother's maiden name as part of the child's full name. Spain uses the father's last name, followed by the maternal surname separated by a hyphen or the letter “y”. Portuguese names are also a combination of both names, this time the other way round.

So in both cases, it is easy to find out the mother's maiden name from documents and databases.

Thanks to growing interest in genealogy, many people now compile and publish their family tree on the internet, showing first and last name for each preceding generation, including the maiden names of all female ancestors.

In the workplace, most employers keep a next-of-kin list, in case they need to make contact in an emergency. For many people, the next of kin is their mother, and that name is available to everyone with access to the list – an unknown number, that may include everyone in HR.

On a personal front, family members obviously know the name, but what about ex-wives/husbands and former partners, who may be tempted to use the card, or make changes to the account, for a variety of reasons, including good old revenge?

As for “not easy to guess”, this all assumes that your mother has a different maiden name from you.

The number of marriages in the UK is dropping, and the proportion of women who change their last name on marriage is diminishing, so many people have the same last name as their mother.

And even if your name does differ from your mother's maiden name, what if it is common, such as Smith, Jones or Patel? Anyone could take a guess and often be correct.

So what is the answer?

It is a good sign that many card suppliers and other financial services companies are starting to rethink their security questions and, in time, the old favourite mother's maiden name should be replaced.

My solution in the mean time is to accept the question, but not give the correct answer; after all, no card issuer is going to check it.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events