When an expert in data security says something scares him, I pay attention. In his AVG blog, Roger Thompson wrote that his credit card had been declined because of unusual activity and he had to take the typical steps to fix the situation.
"Here's the scary bit The guy says, And now, sir, just a couple more questions, please. This is from publicly available information. What age-range would best describe this person?' and he proceeded to ask me about my daughter-in-law, using her maiden name, and she's been married for nine years!"
Thompson believes the information came from his Facebook account, possibly from data that was hacked. That in itself is a problem, but Thompson's story also highlights another security problem-with more people putting out personal information on the Web via social media and blogs, security questions have become less secure. Those surveys that go around that ask about your childhood that everyone likes to share? Take a closer look at the questions and answers-chances are you answered something similar for a security question at your online bank site.
Using security questions and answers that are easy to guess is nothing new. I had to use my mother's maiden name as a security question back when I was in college and my computer science major friends were still using punch cards.
But with the proliferation of easily found personal information, businesses may want to rethink the security questions they use. At GoodSecurityQuestions.com, one of the best solutions is to allow visitors to your site to invent their own question.
If that's not a possibility, avoid using information that is public knowledge or could be found with minimal detective work. Bottom line, if your customers need to think a bit to remember the answer to their question, it will be more difficult for that information to be stolen.