Personal information and bank security

eskbanker

GaleSF63 said:

I don't know why mother's maiden name is so prevalent as a security question. Apart from knowing it from casual conversation, social media etc. anyone born in England or Wales before 1983 is listed on FreeBmd showing the maiden name. Not that easy to pick the right John Smith or Jane Clark of course, but even common names can be identified if siblings names are known, for example. And then there's all the genealogy sites with their helpful information...

There are societal aspects to consider too - the whole concept of maiden names is becoming less widespread, in that more women will elect not to change names on marriage, and likewise many will become mothers without marrying at all, and so the proportion of people who don't have a mother's maiden name different from their own surname continues to rise, nullifying the security value of such a question (for those choosing not to use a fake word).  And let's not even get started on the subject of non-binary parents....

MalMonroe

Not even close friends know my mother's maiden name. And whenever my bank asks for my details they will say something like - can you give me the first, third and fourth letter. Then they may ask about the DDs I have - can I just mention two? And can I name a payment I've made within the last couple of weeks. But if I cannot supply  one of those then they ask another - where was I born? Name of my first school? Again, nobody I know knows my first school. I've never tried to be funny, give daft names or be difficult, I know that banks are not only trying to protect my finances they have many other people to protect.

I don't mind giving these details at all. And, having been in severe financial straits in the past, I really DO keep a daily eye on my bank account via the app on my phone. I don't care if it's thought of as being obsessional, it works for me. I never ever want to get into such financial pickles ever again. My mental health - well, there wasn't any back then. 

Brie

I've been locked out of accounts for giving the right information - just not what they had.  One was how much was my credit card limit - I gave the right answer and they disagreed as my account was showing a higher limit due to being in credit.  Another time they asked for my OH's DOB which I gave correctly and they disagreed as they had never been given the info and had gone for the default of 01/01/1900.  

On the other hand I was able to get through security with my mobile phone service provider despite the fact I couldn't answer "how much was your last DD?"  I said "well it's something like......" and the chap said "close enough!"  I guess that means most people can't answer it accurately.

longjohnjohnson

PRAISETHESUN said:

It depends on the organisation, but in my experience you're right to be concerned. Calling over the phone is really just single factor authentication (something you know) and I know people who have had fraud occur this way. Usually someone obtains their personal info (probably from social media phishing) and then calls the bank pretending to be them, authorising fraudulent transactions.

Some banks are starting to roll our voice ID, or the ability to verify yourself through their app before calling, which turns this into some sort of 2FA but these still have issues. With voice ID for example if you've got a cold or something that affects your voice it can throw the systems off and they default back to the easily obtainable info.

I've started doing what tacpot does for anything new going forward, but I agree that it's not always easy to change info for existing accounts. I guess you just need to be a bit more vigilant for those accounts and be very protective of your personal info.

You're wrong.

Bank security is a combination of something you know and something you are (i.e. multi-factor authentication.)

You incorrectly attribute personal attributes to the "something you know" side. They're not that, they're something you are.

Something you know is when a DD goes out or the last amount you transferred in.  Something you are is your name, DOB, address etc.

RG2015

@longjohnjohnson,

Which is your mother’s maiden name?

k_man

longjohnjohnson said:

PRAISETHESUN said:

It depends on the organisation, but in my experience you're right to be concerned. Calling over the phone is really just single factor authentication (something you know) and I know people who have had fraud occur this way. Usually someone obtains their personal info (probably from social media phishing) and then calls the bank pretending to be them, authorising fraudulent transactions.

Some banks are starting to roll our voice ID, or the ability to verify yourself through their app before calling, which turns this into some sort of 2FA but these still have issues. With voice ID for example if you've got a cold or something that affects your voice it can throw the systems off and they default back to the easily obtainable info.

I've started doing what tacpot does for anything new going forward, but I agree that it's not always easy to change info for existing accounts. I guess you just need to be a bit more vigilant for those accounts and be very protective of your personal info.

You're wrong.

Bank security is a combination of something you know and something you are (i.e. multi-factor authentication.)

You incorrectly attribute personal attributes to the "something you know" side. They're not that, they're something you are.

Something you know is when a DD goes out or the last amount you transferred in.  Something you are is your name, DOB, address etc.

I have to disagree

Something you know is anything someone else could also know (but hopefully doesn't)
e.g password, DD amount/date.

DOB, address, name, mother's maiden name are also something you know, but also something someone else easily could know too, so are poor security authentication factors, and are more identification.

Something you are is biometric, i.e something someone else can't know or (easily) impersonate e.g fingerprint, face ID etc

Something you have, is a thing that someone could have, if they stole it, e.g credit card, number generator fob etc.

https://en.m.wikipedia.org/wiki/Multi-factor_authentication

• Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, etc.
• Something the user knows: Certain knowledge only known to the user, such as a password, PIN, etc.
• Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.

k_man

Or to put it another way.
Most banking authentication is actually single factor (lots of things you know).

SJE89

I agree that I have often thought when phoning the bank that it would be much easier to fraudulently gain access to a persons account information.
However, there are a number of factors to consider:
1. if someone did successfully dupe the person on the phone and you lost money as a result, the bank would be responsible and would have to refund any monies lost and take action to protect you as a customer
2. I've noticed these days that banks will usually send a verification code to your phone while you're talking to them, so there is scope for more/all banks to start introducing two-factor authentication to protect customers from this now.

Chino

SJE89 said:

2. I've noticed these days that banks will usually send a verification code to your phone while you're talking to them, so there is scope for more/all banks to start introducing two-factor authentication to protect customers from this now.

Which is part of the problem - banks opting for the cheapest option and using mobile phone networks to control access to customers' accounts for which purpose they were neither designed nor intended:
https://www.theguardian.com/money/2020/sep/13/sim-swap-is-on-the-rise-how-can-you-stop-it-happening-to-you