Date of Birth should NOT be a Security Question
Using a person’s Date of Birth as a security question can generate the opposite effect: it can be a huge security flaw.
It puzzles me why a bank would ask me to log in with a password and also ask me my Date of Birth (DOB). Then the bank (or maybe not) telephones with stupid conversations like this:
Telephone: Can I speak to Mr Kendall
Me: Mr Kendall speaking
Telephone: Before we continue can you tell me your Date of Birth and Postcode please
Me: Who are you?
Telephone: I can’t tell you that unless you tell me your Date of Birth and Postcode
Me: What’s it about?
Telephone: It’s a confidential matter. I have to clear security before I tell you anything. I need your Date of Birth and Postcode
Me (in a cautious, security-conscious mood): Bugger off.
The inference is that if I know someone else’s Date of Birth and Postcode, I can pass their security tests.
Your DOB is probably the easiest piece of ‘confidential’ information there is to find out yet so many financial companies use it as a security question. Why link so many records back to a DOB?
What about this (totally fictitious) scenario. Fred doesn’t really exist and he’s lucky he doesn’t.
I was driving home and I saw a house around the corner with a large banner: ‘Happy Birthday Fred – 40 Today’.
It seems fairly harmless at first sight, but its enough to cause several problems for Fred. I now know that someone named Fred resides in that house. I know the Postcode. I noted his car registration. If Fred is 40 today it doesn’t take much maths to work out his Date of Birth.
Once home it doesn’t take me long to find Fred online; there’s plenty of free resources for business and I can find Fred’s full name from his DOB and Postcode. I can find him on Facebook, yes, the birthday matches; I now have photographs of him and know his family’s names and pets names, lots of nice password fodder there. From Twitter I know his movements and even learn that he’s off on a weekend family holiday tomorrow. From LinkedIn I know his job(s) and past education. I know when he moved into his house, how much he paid for it and what its worth now. From Google Maps I know there’s a swimming pool in the back garden.
It’s taken me only 10 minutes to find all this out. So far I haven’t done anything illegal. No phishing, no lying, no hacking, no paid searches, no going through his bins. I have enough information to write a book on Fred, and it’s all publicly available thanks generally to financial institutions, the government and social media; but maybe mainly to Fred, who unwittingly gives away far too much information.
All I needed was his Date of Birth.
But is this Fred’s fault? Surely he is entitled to share his Birthday date with friends and acquaintances. It’s the banks and other financial institutions who should use some other identifier that people do not need – or even wish – to share publicly.