Your mother’s maiden name is probably not a secret. Neither is your high school mascot or the size of your car payment.
But some banks and brokerages still pretend this is information only you would know, and that could be putting your money at risk.
So-called security questions long ago outlived their usefulness, since they can be hard for the right people to remember and easy for the wrong people to guess or steal.
Repeated database breaches mean that tons of once-private information is now in criminal hands. Security questions and answers were among the data stolen from 1 billion Yahoo accounts in 2013, for example. And criminals answered questions drawn in part from credit report data to access more than 700,000 taxpayers’ transcripts at the IRS.
You don’t have to be a hacker or even very persistent to find the answers to some security questions. Many people post information such as birth dates and pets’ names on Facebook. They may link to family members, including their mothers. (If they can’t find a maiden name that way, they try genealogy sites such as Ancestry.com.) Data brokers legally hawk addresses, phone numbers, birth dates and property records, among other information, for as little as $1 per person.
Federal regulations typically require financial institutions to restore money lost due to fraud. But some banks, including Chase, say customers will be on the hook if they share their credentials with third-party sites such as Mint. Even if stolen money is eventually restored, customers could be without funds for days or weeks.
We need to take extra steps to protect our money. There’s no way to make your accounts hacker-proof, since criminals have found ways around everything from facial recognition software to fingerprint authentication. Your goal should be to make your accounts tougher to compromise so the bad guys move on to easier targets. Here’s how to do that:
- Use unique, strong passwords. Password managers such as 1Password and LastPass can help create and track this information as well as answers to security questions. Your router at home should be password-protected as well.
- Turn on two-factor authentication. Many banks and brokerages offer this option, which typically requires you to input a code texted to your cellphone or created by a smartphone app.
- Ask how your bank or brokerage handles sensitive transactions, such as attempts to change your phone number (to thwart two-factor authentication, for example).
If you don’t like what you hear, then it may be time to move your money to a financial institution that wants to help you keep it.
Stick to your home network. Criminals can snatch your login credentials when you use public Wi-Fi for financial transactions. Plus, your institution may pay more attention to bad guys’ login attempts if you have a consistent pattern of using only your home network.