Earlier Monday, fellow IT Business Edge blogger Sue Marquette Poremba pointed to a blog post by AVG exec Roger Thompson. Long story short, Thompson's credit card company had suspended his account due to "suspicious activity," which meant the credit card was declined when he tried to check out of a hotel recently. When he called to have the account reinstated, the credit card company began asking him questions related to his daughter-in-law, which to his knowledge, should not have been publicly available information. Thompson was understandably shaken.
Sue used Thompson's situation as a reminder for businesses that their Web sites' security questions are not "secure enough" if the answers can be found, without too much detective work, in publicly available data pools. She argues that they are not -- and rightly so, in my estimation.
I'd like to look at it more from a privacy standpoint. Thompson indicates the only place he and his daughter-in-law are connected online is Facebook, and that none of the information from those accounts should be publicly available. However, commenters to his blog reminded Thompson that marriage and birth certificates are public records, so the bank could have obtained the information with a couple of clicks.
In addition, the incident reportedly took place near the end of last week. If I'm not mistaken, that was around the same time that Facebook rolled out changes to its privacy controls. Once the new controls were in place, the default "share with" setting for nearly everything on one's profile was "everyone." Until users went in and changed their "share with" settings to "only friends" or "friends of friends," much more information was available via their Facebook profiles than usual.
Perhaps that might have played a part in Thompson's bank being able to ask questions about his daughter-in-law using her maiden name.