This morning I was told a story about someone who lost a lost of money as a bank gave access to someones account after some basic security questions were asked. Do you think that any of the following questions really identify you?
- What is your mother maiden name?
- What is your date of birth?
- What was the name of your first pet?
- What is your post/zip code
I’m sure you have seen these kind of questions and the answers that open a lot of doors.
I’m not even talking about your colleagues asking you: “What is your password?” Although it does happen often enough that I hear this in open offices. The weird thing is, when you hear someone answer the question spelling out the password. Why do business people not understand that passwords are not just for access to systems? Passwords are there to prove that you are you! Remember if you give someone your password, you are giving people the option to be you! How are you going to prove that it wasn’t you?
Do you remember that you gave someone your password details a last week? Are you sure that this isn’t going to be abused next week? Or are you sure that nobody else got hold of your password while your colleague wrote down that password on a yellow sticky?
Multi Factor Authentication
This is why IT people are busy adding Multi Factor Authentication (MFA) to accounts as business users are still happily sharing passwords!
For anybody who doesn’t know what MFA is. MFA asks you to confirm a code that is sent to your mobile phone by SMS or email or anything else that can generate a code that only you could possibly read. These MFA codes will expire, after a short period of time. This means that every time you login you will get notified that you are logging in and you will need to supply the MFA code during your login.
Does this mean that MFA should be added to all accounts?
Taking this back to the example of banks, should banks add MFA to all transactions? Or should we keep security check to common knowledge questions.
Personally I’ve secured as many as possible accounts with MFA, but there are still many places where I need to supply answers to the common question. If for example I ring a hospital, I’m first asked a few question before they are happy to speak with me. It’s even worse when I’m being called by an hospital and they ask me security questions before they continue. “Hey, you just called me can you answer my security questions first?”. The problem is that I don’t have any pre-agreed details other than my details that I would be able to verify with the caller.
This is where it is difficult to find the right balance between security and trust. How easy is it to fall for someone fishing for security information? Remember, once those few questions have become public knowledge, you will not have a second chance!
Does this mean that MFA should be added to all communications with organisations that deals with personal data?
When you speak with business users, you will very quickly receive some unwelcome feedback. “I just want to do my job!”, is what I hear.
This is exactly the point. Make sure that you do your job and not someone else.
When looking at computer systems, should we make sure that business users store their documents within systems that include MFA? There are still many users that store documents on network drives or worse on disks locally on their computer.
Are you worried about security? Well you should be! What are you doing about your worries?