8

When you sign into Bank of America on a computer you haven't used with them before, the site prompts you to answer one of your security questions.

How exactly does this make the site more secure?

Is the assumption that if a person somehow guessed your password, they couldn't get in on their computer because they wouldn't know your security questions? If they have your password, they've already won. It seems like all this does is make it harder for legitimate users to use the site...

Update

Based on the answer from @AJHenderson it seems that the scenario we're trying to protect the user from is a key logger. Perhaps we're counting on the key logger as having been placed after the user already marked this computer as "trusted" by entering their security question? In that particular case the hacker wouldn't have captured the user's security question answer. Wouldn't a better solution be to have the user enter a PIN via an onscreen key pad that wouldn't be so easily key logged?

Anders
  • 64,406
  • 24
  • 178
  • 215
John
  • 2,242
  • 2
  • 28
  • 45
  • 2
    If they have your password, but not your security questions, then they haven't won since they need the answers to your security questions too. If banks used onscreen PIN pads, then keygrabbers would just need to grab an image of the screen (or maybe just the area of the screen near mouse clicks). Two factor authentication would be better - like an auth code SMS'ed to your phone, or a code provided by an authentication token. – Johnny May 06 '13 at 22:24

3 Answers3

4

The scenario that this is designed to prevent is keylogging. It is fairly easy to get a keylogger that will report back but somewhat more complex to make a program that will actually execute an attack remotely on another computer. Since you don't regularly enter your security question answers, if an attacker obtains your password via a key logger, they won't be able to use it on their system without knowing the answer.

It does have somewhat limited effectiveness though as if the attacker can force your system to not be recognized, they can get you to answer the security questions as well. It is still a slight increase in difficulty for an attacker though and is not a significant or even common burden for a user.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 1
    Seems like a diluted version of two factor authentication... – John May 06 '13 at 21:15
  • Actually after having thought about it, if the hacker has physical access to the computer you're logging in from, it's all over. He could key log the security questions. Or, he could grab the cookie that's used to mark the computer as "trusted." Are there any measures you could take that would help the user at all really, in this scenario? It doesn't look good... – John May 06 '13 at 21:48
  • Would a PIN that you enter with the mouse via an onscreen keypad be a better solution? – John May 06 '13 at 21:50
  • @John - anything that you can enter in a keylogger could track the action. The trick is that you in theory should suspect something is wrong if you are asked your security questions on a computer you use regularly, so they shouldn't have access to the answers to your security questions. The cookie should only be valid from a given IP and remote controlling a system is far harder to do without detection than a simple keylogger. Not that it can't be done, but it is a slightly raised bar. – AJ Henderson May 06 '13 at 22:10
  • @John - Your conclusion is exactly what the banking sector claims a security question is. By law they are required to implement two factor authentication. Since giving every single customer a key fob is expensive, they decided many moon ago, this was a solution. – Ramhound May 07 '13 at 15:43
  • @John: yes - not sure about legislation in US, but in Europe, Basel II requires 2-factor authentication for personal banking - but 2 passwords are considered as adequate (one password and a cookie from a previous authenticated session seems to meet the requirement more sensibly). There's all sorts of other things the banks might use but don't. – symcbean May 11 '13 at 23:31
  • @John: I've long thought that there should be a smart-card standard such that a keyboard with a smart-card slot could send keystrokes through a smart card which could then encrypt it before feeding it to the computer. If the keyboard firmware was in a mask ROM (not flashable) then even an attacker who could instal arbitrary software in a computer wouldn't be able to sniff passcodes because no reprogrammable device would ever see the passcodes. – supercat Feb 02 '14 at 22:21
2

Fraud management. The bank's website may be using Geo-location and device fingerprinting.from Wikipedia

Geo-location is the identification of the real-world geographic location of an object, such as a mobile phone or an Internet-connected computer terminal.

Device fingerprinting is information collected about a remote computing device for the purpose of identification

Imagine today in the morning you did a transaction from US and two hours later an attempt is made to log into your account from China. Using geo-location the system will know that something is not right.

If a new computer is being used to access your account the system wants to make sure that it is the real owner of the account and not some hacker with a stolen password.

The banking system may be designed to develop a level of trust for the computers that you regularly use for your financial transactions. The moment your request comes from a new device/location, system asks you a security question.

P.S. If your security question is "what is the name of your dog?" or "What was the name of your high school?" the attacker may be able to guess these easily. Security questions can not be compared to two factor authentication.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • Good answer. This has been routine practice more or less as you describe for a while (although the liability is still left with the merchant). – Ram May 11 '13 at 18:45
1

The question is what was the name of your favorite pet? In order to answer that correctly, I have to be thinking today in the same frame of mind as the day I originally answered the question. On that day, it was spring, and I was thinking about the horse that I used to own. Riding in the warm springtime was so much fun. However, today it is winter, and I'm remembering my old collie that used to lay in front of the fire with me when it was cold outside. I don't remember the horse. What are the chances of getting that question correct, even though I am me and no hacker? Not high, unless I write the silly question down with my answer and post them near the computer. It is even harder with the question: where was your mother born? Was that in St. Gallen or St Gallen or Sankt Gallen or Switzerland or Europe?

For the record: Security questions make your system LESS secure because they force you to write down the questions and answers.

Christopher
  • 11
  • 1
  • 1
    Writing your passwords on paper with a pencil is not as bad for security as people make it out to be. I have yet to encounter a virus or malware that can read a slip of paper in a wallet. Of course, this is limited to the situation where you can actually secure the paper. But it restricts attacks to the physical world, which are not scalable or automateable. – John Deters Nov 21 '13 at 13:41