Q&A: The insecurity of bank security questions

Dear Liz: I recently opened an account at a bank that boasted “multi-factor authentication,” but I looked into the claim and it turns out the bank is using passwords plus answers to security questions, such as the name of your first pet, as the “multi-factor authentication.” I expect you know that the real multi-factors are something you know, like a username and password, something you have, like a code that has been sent to your phone or email, and something uniquely inherent to you, like a fingerprint. Clearly, this bank is misrepresenting its “multi-factor authentication.”

Answer: If there was any doubt about how insecure security questions are, it should have been settled with the hack of the IRS’ Get Transcript service. The criminals gained access to 700,000 taxpayer accounts by correctly answering multiple questions with answers supposedly known only to the affected taxpayers. In reality, the answers to many security questions can be purchased from black market databases or simply found by perusing people’s social media accounts.

If your financial institutions are still using security questions to identify you, you should demand to know why. If the institution doesn’t offer at least two-factor authentication (a password plus a code), you should consider putting your money somewhere else.