Tag Archives: Security

Security Through Stupidity, Part Four

Among other places, I host some of my domains with Hostcentric. I’ve been with them for, oh, six or seven years, and have had almost no problems (and those I have get resolved quickly). I wrote in for a technical incident for the first time in years and in responding to it, the support agent wrote:

I also noticed that you haven’t set the security question for your account.

[…]

Once you have set the security question for your account, you need to answer the question, when the question is asked by the Support Agents. If the answer provided by you is matches with records on the file, you will be authenticated as the owner of the account.

Here we go again.

hostcentric security questionsI consider these security questions to be an invasion of privacy, open me up to identity theft, and aren’t worthwhile for providing security, so I’ve generally chosen not to answer them. At the very least, it would be much better if I could choose my question and my answer rather than be limited to a set of questions that may lead to problems (or be unanswerable).

In particular, “mother’s maiden name” and “city you were born in” can be used outside Hostcentric for identity theft, while the “name of my high school” is a well-known piece of information for many who know me and therefore not really “secure”.

And of course, “pet’s name” is worthless if you don’t have a pet or have more than one. Beyond that, it’s only useful for security if no one ever hears you call out to your cat.

Kettle brand Death Valley ChipotleLikewise, “favorite food” is pretty damn worthless as the answer can change over time. Right now, I’m a big fan of Kettle brand Death Valley Chipotle chips.

I appreciate the desire to improve security, even though these questions are merely an illusion of security: they make everyone feel like “something’s being done”.

In case you’re thinking I’m nuts, I’ve lodged this complaint against all online services that ask for these answers, including Washington Mutual, Bank of America, INGDirect, and several others. Hostcentric is just one of many companies trying to be more secure without actually being more secure.