Comment on For online security, your mother’s maiden name is not a secret

“Relying on questions and answers is absolutely brain-dead, but a lot of banks do it because they’re not equipped to implement anything else and regulators aren’t mandating alternatives,” says security expert Avivah Litan, vice president and analyst at Gartner Inc. “No security measure is perfect, but knowledge-based authentication is certainly more granular and more effective than shared secrets, such as your mother’s maiden name,” says Doug Johnson, senior vice president for payments and cybersecurity at the American Bankers Association. Security questions and answers were among the data stolen from 1 billion Yahoo accounts in 2013, for example, and criminals answered questions drawn in part from credit report data to access more than 700,000 taxpayers’ transcripts at the IRS. (If you can’t find a maiden name that way, try genealogy sites such as Ancestry.com.) Data brokers legally hawk addresses, phone numbers, birth dates and property records, among other information, for as little as $1 per person. Schwab also offers customers the option to add a verbal password and activate voice-recognition technology for added security in telephone transactions, says Sarah Bulgatz, its director of corporate public relations. Financial institutions may take extra measures to determine identity when they spot unusual transactions or attempts to log in from unfamiliar devices or networks, Johnson says. [...] while federal regulations typically require financial institutions to restore money lost due to fraud, some banks, including Chase , say customers will be on the hook if they share their credentials with third-party sites such as Mint. There’s no way to make your accounts hacker-proof, since criminals have found ways around everything from facial recognition software to fingerprint authentication. Financial institutions post security policies on their websites, but ask specifically how your bank or brokerage handles sensitive transactions, such as attempts to change your phone number (to thwart two-factor authentication, for example).