Our bank is a small local bank. In general they’ve been very good to deal with. They offer a web interface through which we can access our account, pay bills, etc. The web interface is nothing special… it works, it has a couple of quirks and unnecessary page reloads.

Recently they decided they needed to beef up security. I ran into this on my own personal account a while back, and was unhappy about it. Now they’ve done it to our business account.

The security mechanism consists of them asking three questions and requiring answers to them. Then, in the future if they decide that you might be accessing the account from a different computer from the one you usually do, they may ask the questions and block your access to the account if you can’t answer them.

Now, the questions consist of things like:

1. What is your eldest child’s middle name?
2. What was the name of your first pet?
3. What is your youngest sibling’s nickname?

For my personal account:

1. I do not have and will never have any children
2. I have absolutely no idea
3. I have no siblings

You’re given three lists of questions and you’re supposed to choose one from each list. In the first list, there are two questions I can actually answer. In the second and third lists, there are none.

This set of security questions is a great example of poor design and subtle discimination. If my parents were alive and I were married and had kids and siblings and knew my grandparents, I might be able to do this. None of these are true, though. I probably fall into a set of say 20% of the population who are outside the mainstream ideas of how people live that the person who designed this set of questions was familiar with.

I could make up answers. But will I remember them when their system decides it needs to grill me? Unlikely. I could provide answers like the set I gave above, but again will I remember them - the exact set of words and capitalization? Unlikely - unless I write down the answers somewhere and keep track of where I did that - which thwarts the security in the first place. I’ll just keep it with my list of passwords!

That’s bad enough, but the system doesn’t allow for any overrides on the questions and will not let you in to your account until you’ve provided answers for its future use.

And to make things worse, they require the same set of questions to be answered on our business account. Because, you know, we clearly should remember the names of our LLC’s children, where its grandparents were born, and what its first pet was named.

Words of advice if you’re considering adding this kind of security to your web site:

• People are trying to access their accounts because they need to do something with them. Don’t lock them out of their accounts by requiring them to answer a set of security questions first. Give them an escape so that they can still get to their account if they’re not able to set up the security questions the first time they hit them.
• Not everyone has kids, siblings, parents, grandparents. There’s a pretty good chance that if you fashion a set of questions that are relevant to mainstream middle-America that you’re going to exclude a good portion of people who you yourself are largely unaware of. At the least, provide the ability for the user to override the questions and give their own.
• Try to have the questions be at least somewhat relevant to the type of account they’re supposedly securing. Asking personal questions on a business account is simply absurd and frustrating.
• Recognize that at least for some accounts - joint accounts and business accounts in the banking world - multiple people may be accessing the accounts and have no idea what to answer initially or what was answered by the account’s other users.

If you don’t do these things, you’ll likely alienate and lose some of your customers who just want to use your web site and are suddenly barraged by a set of questions that don’t apply to them and they cannot answer. At best you’re going to frustrate them and force them to make up answers and write them down somewhere. At worst you’re going to stop them from doing some critical task that they needed access to their account for and force them to take their business elsewhere.

Don’t get me wrong, security is important. But the kind of security my bank has forced on my accounts is wrong-headed and very poorly designed.
[tags]security, bad design, design, banking[/tags]

|  Print This Post