Right answer, wrong question

This credit union updates its online banking website, so a pilot fish with accounts there updates all her family’s accounts.

“The new feature was security questions,” says fish. “I didn’t like the three that were given, so I did the drop-down to see more questions. I chose my three new questions and wrote down the answers so the spouse knew what they were.”

But the first time he tries it, he blows the password. Fish has to go through the whole process of recreating the account setup.

Next time he tries, fish has to go through the entire process again — but this time she prints out screen captures of the questions she chose, and writes the answers on them.

To make sure it doesn’t happen a third time, fish walks him through the process of logging in. But when they get to the security question, the one that pops up is not one of the new questions fish has selected.

“I purposely chose questions I knew he could answer,” fish says. “I bypassed the question about what high school I had graduated from, but there it was, waiting for an answer.

“On my last try of the three-tries-or-you’re-locked-out scenario, I remembered that was the first question of their three original choices. So I supplied the answer I had used for the first question, ‘Where were you born?’ Bingo, I was in.”

This is ridiculous, fish thinks. She puts in a call to the same customer service rep who has already reset the account’s password twice. The rep tells fish that a whole lot of people are getting locked up on the security questions.

Can I talk to the programmer? fish asks. I can’t transfer you, rep says.

OK, write this down and give it to the IT department, fish says. Tell them that while they let users pick new questions, they’re recording the answers but keeping the original default questions as first presented.

“I also asked where to send my bill for problem-solving consulting, but never heard back from them,” says fish.

“But now we have a way of making the security questions unanswerable by hackers. For example, for the question ‘Where were you born?’ we key in the year of the account holder’s birth as the answer.”

Answer Sharky’s call for true tales of IT life! Send me your stories at sharky@computerworld.com. You’ll snag a snazzy Shark shirt every time I use one. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get your daily dose of out-takes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss