Thursday, October 20, 2011

Credit History questions

One thing I've noticed while retrieving my free annual credit report is that credit bureaus will often verify your identity by asking you security questions based on your credit history.  These aren't security questions that you set yourself, they're multiple choice questions like "From which of these companies do you currently have an auto loan?"

Being multiple choice they don't exactly have all that much strength, especially since a wrong answer doesn't necessarily mean that the person is an attacker.  A question such as "What state was your Social Security card first issued in?" might not be easy to answer for somebody who moved around a lot as a child.  Even if you know what website to log into when you pay student loans you may not know exactly which company owns them or how they appear on your credit report.  And that's all assuming your credit report is even accurate, which isn't always true!  Some implementations at least take this into account and have a "not sure" option.

Privacy may be an issue as well: if you can figure out what bank your target uses, what brand of car they drive, etc then--since the questions are multiple chocie--you probably have good chance of getting some of them right.

Are they better than nothing?  I suppose they're a sensible way of adding a little security in authenticating somebody who doesn't have an existing account on the credit bureau's website.  In previous years I was able to get a credit report just by entering my SSN and standard personal information.  Now I have to do that plus play multiple choice with what I remember of my credit history.  I'm not sure exactly how they decide whether or not you're you, and perhaps they could be more of a fraud detection tool than an access control mechanism, but they don't inspire much additional confidence on my part.

No comments:

Post a Comment