When it comes to identifying that you really are who you say you are on service providers' websites, the questions you have to answer can no longer be the only means of verification, say experts. This is because the answers can be easily found using search engines, social networking sites, or through spear phishing attacks. Instead, they say, it should be part of a multi-level authentication strategy.
But you, the user, also have an important part to play in that you should create questions with unique answers that only you would know, and ensure this information is not compromised or shared on Twitter, Facebook, your blog or other public platforms.
Information once considered confidential, such as someone's NI number and mother's maiden name, can sometimes now be found by simply doing an online search.
Social media sites are also very useful for cybercriminals looking for users' personal details. A good example is LinkedIn – where it's standard practice to list your first job and the school or uni you attended. Facebook or Pinterest could provide answers to a person's mother's maiden name, the city you grew up in, or your personal interests.
Ronnie Ng, director of systems engineering at Symantec Singapore, commented that cybercriminals who have conducted spear phishing attacks to get a user's password, would also probably possess the information to crack simple authentication questions.
There are stronger types of authentication or 'knowledge-based' questions, which cannot be answered by an educated guess after trawling for information online. These usually cover non-public information such as how much is your monthly mortgage payment, the name of the bank where the payment comes out of, or the street you lived on many years ago. This is balanced by the fact that knowledge-based authentication could be too complicated, with questions that are too obscure and answers that are not likely to be memorable. This would undermine user experience and consumer satisfaction. For example, when your bank asks you when your last transaction was made, do you remember the date?
Symantec's Ng called on service providers to devise a multi-level authentication to secure their networks and sites and protect their customers.
He added that device-based authentication – in tandem with knowledge-based questions – will make security that much tighter. For identity verification, a series of questions should be asked. Again this must not put users off with too many complex security layers which need excessive time and effort.