First published: 13th April 2018
As I grow another year older, I'm grateful for my friends and family posting birthday greetings on social media. It's nice to hear from people who care about me.
It's also a time to reflect on how many times organisations have asked for my date of birth as a "security question" to "verify my identity". Mostly, it has been during phonecalls with my bank. This has not been to authorise transactions, but to do other things that the bank wants some assurance that it is me, but it isn't so important as to require stronger methods. However, in reality, why does the fact that the caller knows my date of birth give the bank any assurance that the caller is me? Many people know my birthday, and if a friend sets the sharing on their post to "Public", that is increased to "everyone on the internet".
What can we do about this? Should we stop posting birthday greetings on social media, stop having birthday parties, stop being social? This would be a bad response.
We need to force organisations to stop using non-secret information to "verify" our identities. Proving someone's identity remotely is a difficult problem, but it is unacceptable to pretend that these "security questions" are a solution.
Brian Krebs makes a wider, related point in his recent blog post.