[129953] in cryptography@c2.net mail archive
Re: security questions
daemon@ATHENA.MIT.EDU (Matt Ball)
Wed Aug 6 16:50:58 2008
Date: Wed, 6 Aug 2008 12:24:55 -0600
From: "Matt Ball" <matt.ball@ieee.org>
To: "Peter Saint-Andre" <stpeter@stpeter.im>
Cc: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4899C1EF.3050406@stpeter.im>
On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote:
>
> Wells Fargo is requiring their online banking customers to provide answers to security questions such as these:
>
> ***
>
> What is name of the hospital in which your first child was born?
...
> What was your most memorable gift as a child?
>
> ***
>
> It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks...
>
> Peter
Of course, this problem isn't limited to Wells Fargo: I think pretty
much all banks do it.
I've given this some thought, and am writing a program called "maiden"
(short for "mother's maiden name") for cryptographically answering
these questions.
The basic idea is that you take either a pass phrase or strong secret,
combine it with the question, compute the SHA hash, and use this to
create a word that looks semi-pronounceable as the answer to the
question.
Right now, I don't answer any of these questions with any guessable
information -- it's all the result of a cryptographic operation on the
question and a hidden secret.
Cheers,
-Matt
--
Thanks!
Matt Ball, IEEE P1619.x SISWG Chair
M.V. Ball Technical Consulting, Inc.
Phone: 303-469-2469, Cell: 303-717-2717
http://www.mvballtech.com
http://www.linkedin.com/in/matthewvball
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
