Friday 27 July 2012

Who's your grandmother?

I recently signed up for something to do with credit card security. My first problem was that the letter that I got from the bank was so waffley, I couldn't work out what they wanted. After a few phone calls, I got that clarified, and signed up at the Trustwave web site to get PCI DSS compliant. I already have to get PCI DSS compliant, so I thought it would be easy.

The Trustwave web site required Flash, which I don't like, because they're constantly having security problems. So I had to enable Flash to get going. Then I signed up, and they wanted three security questions. You know the sort of thing? Mother's maiden name and stuff like that?

But that's not very secure; certainly not as secure as the whole PCI DSS is trying to be. You could find out my mother's maiden name pretty easily. They suggested "name of first girlfriend", "maternal grandmother's given name" and lots of ideas like that. All of which doesn't sound secure to me.

But what they're really asking for, is three more passwords, and they want them to be something I already know. The trouble is, so do other people.

So I tried out an idea that I've been thinking of using for a while. I just made up three passwords. I didn't give them the name of my first girlfriend (which is an ambiguous concept anyway), I just gave them a couple of syllables which aren't any name I've ever heard of. And the same for the other two words they wanted. And, of course, I wrote them down, so that if I need to, I can give them in future.

After a bit of tweaking, I passed their PCI DSS security test, but it's going to cost me £29.99 per year to remain complaint, and if I don't, it'll cost me £9.99 per month. Another cost for businesses to pay.


  1. I've heard other security experts say they use random passwords for those security questions as well. Some of it makes good sense.

    I do see more of a pattern now where the places let you make up your own question in addition to your own answer. Presumably to avoid the problem you've mentioned that you can limit the question/answer to something only you truly know (and others can't just look up).

  2. indeed to both of you, for the last 30 years, (i'm still not quite as old as the Doc.), my mothers maiden name been totally random. In fact I tend to use it for all my security questions!