[danweber]

I think "Security questions" need to be completely destroyed and the earth salted. Then we have a long talk about them before bringing them back in a very careful, limited format.

Bank Of America is horrible in this. First off, if someone else tries to log in using your username 3 times, it locks you out of your account. You need access to your email to get back in.

But it demands you re-create three security questions after that. I chose a simple username so other people stumble across it a lot. So I have to go through this process frequently, and there is nothing I can do to stop it.

How securely are they storing this PII? Probably not at all. I try to give the exact same questions and answers every time to limit what BoA knows about me, but someone compromising by BoA account might be able to learn that information and use it to cascade attacks into other services. (They display by secret questions and their answers to me in plaintext.)

[jeltz]

There is no reason for banks to have any security questions at all, or even passwords. They can mail security tokens to all their customers and rely on the postal office validating the identity of the customer. And if the security token breaks or is lost they can just mail a new one.

This is what all or virtually all Swedish banks do.

Only websites where the users need instant access or you have a low profit per user cannot afford security tokens. Banks are obviously not included here.

[ams6110]

My bank (a credit union actually) requires you to come in to a branch office during normal business hours if you need to get your password or ATM PIN number changed, or if you've tried the wrong password too many times and locked your account.

They also use two-factor auth on logins from new computers (or when you've cleared your cookies).

[makomk]

No, they can't rely on the post office. The workers there aren't paid that well, after all, and some of them would probably be quite happy to take money on the side to make a few security tokens disappear into the hands of a fraudster.

[wonderzombie]

They already send credit and debit cards in the mail. Is this substantively different? Do we have widespread problems of postal workers stealing credit or debit cards? What's in place to prevent that, and why couldn't the banks use similar measures with an OTP device?

[InclinedPlane]

Security questions are pretty useless for protecting access as well. They're typically information that is easily available to a lot of people you wouldn't want to have access to your account.

[Nicole060]

Which is why I type random data I wouldn't remember and don't write that stuff down either whenever I'm asked to provide an answer to a "security question". They're the worst idea someone could think of to implement a security scheme. I am appalled at the fact that most (all ??) of the big names on the internet use them. Even google who should know BETTER what with all the first class software engineer they have.

[Tyrannosaurs]

I don't mind the ones where you can set your own questions but things like maiden names and first schools are asking for trouble.

The comedian Lucy Porter does a nice sketch about setting your own security question, claiming that one of hers was "Are you really going out dressed like that?" to which the answer was "You're not my real dad, you can't tell me what to wear."

[InclinedPlane]

Be careful with that strategy, as sometimes sites will force you to provide answers to security questions to access your account. Probably better to treat each question as its own password, despite the hassle.