Date of birth should NOT be a security question

Using a person’s Date of Birth as a security question can have the opposite effect: it can be a huge security flaw.

I am puzzled why a bank would ask me to log in with a password and also ask me for my date of birth (DOB). Then the bank (or maybe not) calls on the phone with stupid conversations like this:

Telephone: Can I speak to Mr. Kendall?

I: Mr. Kendall speaking

Telephone: Before we continue, can you tell me your date of birth and zip code, please?

I: Who are you?

Telephone: I can’t tell you unless you tell me your date of birth and zip code.

I: What is it about?

Telephone: It is a confidential matter. I have to get through security before I tell you anything. I need your date of birth and zip code

Me (in a cautious, security-conscious frame of mind): Shove off.

The inference is that if I know someone else’s date of birth and zip code, I can pass their security tests.

Your date of birth is probably the easiest piece of “sensitive” information to find out, but many financial companies use it as a security question. Why link so many records to a DOB?

What about this (totally fictional) scenario. Fred doesn’t really exist and he’s lucky he doesn’t exist.

I was driving home and saw a house around the corner with a big banner: ‘Happy Birthday Fred – 40 today’.

It seems harmless enough at first glance, but it’s enough to cause Fred a lot of trouble. Now I know that someone named Fred lives in that house. I know the zip code. I took note of the license plate of his car. If Fred is 40 years old today, not much math is needed to calculate his date of birth.

Once home, it doesn’t take me long to find Fred online; there are many free business resources and i can find fred’s full name in his date of birth and zip code. I can find it on Facebook, yes, the birthday parties; Now I have pictures of him and I know the names of his family and the names of his pets, a lot of good password fodder there. Through Twitter I know his movements and I even find out that tomorrow he is going on a family vacation for the weekend. From LinkedIn, I know of his job(s) and his previous education. I know when he moved into his house, how much he paid for it, and how much it’s worth now. I know from Google Maps that there is a swimming pool in the back garden.

It took me only 10 minutes to figure all this out. So far I haven’t done anything illegal. No phishing, no lying, no hacking, no paid searches, no checking your containers. I have enough information to write a book on Fred, and it’s all publicly available, usually thanks to financial institutions, the government, and social media; but perhaps mainly to Fred, who inadvertently gives away too much information.

All he needed was his date of birth.

But is this Fred’s fault? Surely he has the right to share the date of his birthday with friends and acquaintances. It’s the banks and other financial institutions that should be using some other identifier that people don’t need, or even want, to share publicly.