Security Through Stupidity

Everyone’s trying to improve the security of their websites these days. Several banks have started using on-line images you select, along with a normal username/password combination, to determine if to let you in.

Washington Mutual seems to be taking a different tack: instead of trying to prevent would-be hackers from getting into your account, they’re looking to protect you when they

… detect a risky request involving your accounts

In other words, after someone has already gained access. Well, OK, I’ve received numerous calls from my Visa issuer when they think a charge may be fraudulent. Usually they ask if I still have the card in my possession, if made a particular charge, and to confirm some details of my account.

WaMu has decided they

… may ask you one or more “challenge questions” to verify your identity. Ideally, only you should be

able to answer these questions correctly.

Not terribly out of the ordinary… until you take a look at the questions.

(Let’s take a brief time-out here and set up a hypothetical WaMu user. Let’s say that you’re a 30-year-old single guy, never married, no children and are an only child. Your grandparents died when you were five or six, and you’ve never had the opportunity to travel outside of the U.S. OK? OK.)

You are presented with three popups; you are asked to choose one question from each popup, and provide the appropriate answer. You must provide answers for all three popups. Go:

Hm. Let’s take a closer look, shall we? I’ll be you:

When is your oldest sibling’s birthday (MM/DD)?

Wait… I’m an only child…

What is your youngest child’s middle name?

…I don’t have children…

What is the first name of your youngest child?

…I still don’t have children…

What is the middle name of your youngest sibling?

…And I’m still an only child…

What was the family name of your nearest neighbor in 2000?

…Nearest neighbor… in 2000… Uh… Where was I living in 2000?

In which year did you meet your spouse (YYYY)?

…I’m not married…

What is your mother’s middle name?

…Oh! I can answer this one! Um, Mom, what’s your middle name? Oh, you don’t have one? Like millions of other people? I see…

Who is your favorite person from history?

…Today? Or in a year, when I’m asked this question?

And that’s just the first popup. Out of eight questions, two are about a non-existant sibling, two are about a non-existant child and one is about a non-existant spouse. Five of eight questions, tossed out the window because of invalid assumptions. The remaining three questions ask either trivial questions (my favorite person from history? What is this, a pajama party?) or continue to make assumptions (not everyone has a middle name, you know).

WaMu offers multiple sets of questions (which set you get appears to rotate for each login attempt);. So far, I’ve seen 58 questions. Of those 58 questions,

  • 22 of them are 100% inapplicable to me: siblings (5), children (7) and marriage (10)
  • 14 require me to remember trivial historical details (my high school mascot? My high school had a mascot?)
  • 16 more questions ask me about my parents (7) and grandparents (9). I might be able to tell you my “parents’ wedding anniversary” if I had a moment to look it up, but my “grandfather’s profession”? Seriously?
  • 4 ask me my opinion on something (which sports team did I like most as a child? Hm… any chance that might have changed a few dozen times?).

That leaves all of two questions that I can answer without any thought:

  • What is my nickname?
  • In which city was I born?

Even the nickname question is silly since I might have one nickname today and a different nickname in a year when my account is being illegally drained and WaMu decides to “challenge” me when it notices the “risky requests”.

This is all an amusing tale of stupid security questions, except for one minor problem.

Until I complete these questions, I can’t log into my account.

Yes, you read that correctly. Unless and until I select three questions from whatever subset I happen to get, I’m unable to use the online banking service.

This got me in such a tizzy that I actually called up Washington Mutual to complain about it. More on that phone call later this week.