Date of birth should NOT be a security question

Date of birth should NOT be a security question

Using a person’s Date of Birth as a security question can have the opposite effect: it can be a major security flaw.

It baffles me why a bank would ask me to log in with a password and also ask my date of birth (DOB). Then the bank (or maybe not) calls on the phone with stupid conversations like this:

Phone: May I speak to Mr. Kendall?

Me: Mr. Kendall speaking

Phone: Before I continue, can you tell me your date of birth and zip code please?

Me: Who are you?

Phone: I can’t tell you unless you tell me your date of birth and zip code.

Me: What is it about?

Phone: It is a confidential matter. I have to go through security before I can tell you anything. I need your date of birth and zip code

Me (in a cautious and security-conscious mood): Shove off.

The inference is that if I know someone else’s date of birth and zip code, I can pass their security tests.

Your date of birth is probably the easiest piece of “sensitive” information to find out, but many financial companies use it as a security question. Why link so many records to a DOB?

What about this scenario (totally fictional). Fred doesn’t really exist and he’s lucky he doesn’t exist.

I was driving home and saw a house around the corner with a big banner: ‘Happy Birthday Fred – 40 today’.

It seems harmless enough at first glance, but it’s enough to cause Fred a lot of trouble. Now I know that someone named Fred lives in that house. I know the zip code. I took note of the license plate of his car. If Fred is 40 years old today, it doesn’t take a lot of math to calculate his birth date.

Once home, it doesn’t take me long to find Fred online; there are many free resources for businesses and i can find Fred’s full name in his birth date and zip code. I can find it on Facebook, yes, the birthday parties; Now I have pictures of him and I know his family names and his pet names, lots of good password fodder in there. Through Twitter I know his movements and I even find out that tomorrow he is going on a family vacation over the weekend. From LinkedIn, I know his job(s) and his previous education. I know when he moved into his house, how much he paid for it, and how much it’s worth now. I know from Google Maps that there is a swimming pool in the back garden.

It took me just 10 minutes to figure all this out. So far I haven’t done anything illegal. No phishing, no lying, no hacking, no paid searches, no checking your containers. I have enough information to write a book about Fred, and it’s all publicly available thanks usually to financial institutions, the government, and social media; but maybe mainly to Fred, who inadvertently gives away too much information.

All he needed was his date of birth.

But is this Fred’s fault? Surely he has the right to share his birthday with friends and acquaintances. It is banks and other financial institutions that should use some other identifier that people do not need, or even want, to share publicly.