Drawing A Blank At The Bank
I once opened an account at a local bank for convenience. In addition to the usual inconveniences involved in such processes, I encountered a glitch when I attempted to activate the online bill paying option from home. My first response to a security question was accounted an error by the bank’s web site even though I entered the same name of my place of birth I had myself supplied only a few hours earlier.
Happily, I had made the same stupid mistake before1 and was thus able to solve the problem before exceeding the arbitrary limit on failed attempts for such answers and being sentenced to an obligatory call to the bank’s technical support, a task I’ve found so discomforting in the past that choosing between enduring that tête-à-tête with a bored, low level employee of whatever outsourcing company the bank has hired and moving the money to a different bank in order to start over with a fresh slate becomes an even money call.
Recently, a friend mentioned he had committed the same mistake. A little research shows that my mistake remains a relatively common yet little discussed error, a circumstance which affords me the opportunity to enhance humanity’s lot by warning readers about the invisible error terror that threatens rather than creates security.
And that, gentle reader, is why today’s post is a rare instance of the Heck Of A Geek Computer Tip.
Why Do Security Questions Make Us Feel Insecure?
Anyone who uses the internet for banking or investing, sends email through Yahoo or Hotmail, pays the Verizon bill online, or otherwise deals with sites which require log-ins has encountered the Security Questions. Typically, this is a do it yourself process through which one selects answers to a number of available questions or, increasingly often, provides the questions as well as the corresponding answers. The questions are then presented when the user forgets the password; once the correct answers are entered, the password is reset. Even when the correct password is entered, however, the answers to the security questions may be required when the user exercises certain options (such as my request to pay bills online).
Security Question Tip #1: Do Not Blank Out On An Answer
My glitch happened to occur when I answered a common security question, “In what city were you born?
The top sequence in the above graphic represents the answer I entered when I first set up the account, including the security questions. The second sequence represents the answer I supplied when the question was presented in response to my request to activate the bill-paying option.2
Despite the apparent similarities in the two “Sarcoxie” answers, the server at the bank’s site detected a difference and rejected my request. An examination of the two “Sarcoxie” answers reveals no error because it is an invisible difference.
When I originally set the “correct answer,” I cleverly entered a blank space after the “e” in “Sarcoxie.” While I am capable of carelessly hitting the space bar to accomplish this fax pas, in this case I put forth considerably more effort. I had originally entered “Sarcoxie MO” but on realizing the needless complications involved, I deleted the “MO” portion. I did not, alas, eliminate the blank space between “Sarcoxie” and “MO.” When I entered the answer a few hours later from home, I did not include that blank space at the end. The computer picked up the difference between “Sarcoxie” and “Sarcoxie[blank space]”3
Optimally, one is better served by not entering a blank space in the answer to ones security question. (Entering a carriage return causes an analogous problem of an extra, invisible character.) In less optimal circumstances, if the seemingly correct answer to a security question is rejected, consider the possibility that after the last visible character in the answer there may be a blank space (or carriage return) that is the cause of the problem.
Security Question Tip #2: The Answer Doesn't Have To Be Correct - It Does Have To Match
The importance of Tip #2 is that security questions, in addition to the problem of recalling ones answers with precision years later, can be a security risk. If the obnoxious 13 year old kid next door can reset your Yahoo Email password by correctly entering your place of birth, a bit of data amusingly easy to find in the case of, say, a candidate for vice-president (and not so difficult to find in the case of even the not-famous), then you, my friend, have got a security problem.
The easiest solution is to re-frame Security Questions. Instead of viewing them as a biographical questionnaire, consider each security question as a code to be deciphered into a specific response. Then, the only trick is to consistently use a decoding formula that can be recalled when you’re trying to access your get out of town fast money from that secret account with the security questions you haven’t used since setting up the account six years ago.
There are lots of algorithms proffered on the net for this purpose; the one that follows is a variant of the simple formula I use. It’s flawed - and about 35,297 times better than using the so-called correct answers.
1. Select a six character sequence that includes at least 1 number and 1 letter and contains no characters that are not numbers or characters. (Some programs accept all kinds of weird typographical notations while others seem to reject anything except numbers and letters. I want one sequence that works as universally as possible.) This is the only sequence you must memorize or use a mnemonic to remember (I usually start with the mnemonic and develop the sequence from it rather than vice versa) because you’ll be using it as a part of all the answers. For our example, we’ll use 7rhP21
2. Construct the answer any Security Question with this formula:
[The first 2 letters of the final word of the question] followed by
[7rhP21] followed by [the first 2 letters of the first word of the question]4
3. If necessary, use this supplemental rule: If the first and/or fourth words are one letter words, enter that same letter and same case twice to make the two letters required in the formula.
Examples
So, if the security question is “In what city were you born?” the answer is
[The first two letters of the final word of the question] = bo
followed by [7rhP21] = 7rhP21
followed by [the first two letters of the first word of the question] = In
Answer: bo7rhP21In
If the security question is “A pet name for your first girl friend,” the answer is
[The first two letters of the final word of the question] = fr
followed by [7rhP21] = 7rhP21
followed by [the first two letters of the first word of the question] = AA (If the first and/or fourth words are one letter words, enter that same letter and same case twice to make the two letters required in the formula.)
Answer: fr7rhP21AA
There is, of course, nothing magic about the details of my methodology. Feel free to adapt the formula to whatever amuses you. Once you have a final algorithm, you can cast your concerns about forgetting if it was your 3rd or your 6h grade teacher was your favorite elementary school teacher - it was te7rhP21Wh.
Footnotes
_____________________- And no, I did not forget where I was born.↩
- ”Sarcoxie” is not, of course, the town in which I was born. It does lay claim, on the other hand, to being the “Peony Capital of the World,” a title disputed by at least three other communities, one of which is in China. A Peony-Off is, no doubt, in the making.↩
- The blank space/carriage return problem is much less common with passwords because most programs will not accept a blank space as part of a password. Many security question formats, however, will allow a blank space or carriage return, often because they will allow more than one word in the answer. Also, most password problems require rhe password to be entered twice with both entries matching exactly. Most security question formats do not have this requirement↩
- Letters retain the same case as in the words from which they are drawn↩
