Choosing Answers to Online Security Questions

When you set up online access to a financial institution or credit card company, many of these providers include a step in which you pick from a list of two or three “security questions” and then type in your own answers.

It’s an extra authentication step, so that if you log in later from a different computer or location, the system can show you one or two questions as a safeguard to make sure you’re the person who is supposed to be logging in, and not someone trying to gain unauthorized access.

However, there are a few important points to be made about the way you answer these questions. First, they’re usually case-sensitive. If you type in “Sycamore Street” and then try “sycamore street” later when the question pops up, it’s going to reject your login. You have to remember exactly how you typed it the first time.

More importantly, however, is the fact that a lot of the answers to these questions may not be all that obscure due to the widespread use of social networks like Facebook. How many people have posted photos of their first car online? That’s one of the more common security questions. There are even images that look like fun, nostalgic discussion prompts, but might actually be social engineering campaigns designed to get large numbers of people to publicly reveal security question answers. Some of these ask about first cars, streets grown up on, or schools (revealing mascots, school colors, etc.).

The first thing is to avoid commenting on such items when they make the rounds on Facebook. Make sure your profile is set to that only friends can view your posts, in case you want to put up any old photos.

But also remember this: nobody says you have to answer security questions honestly.

As long as you can remember your answers, there is nothing stopping you from typing “Batmobile” for your first car, or “Electric Avenue” for the street you grew up on. You can even answer the questions as a favorite fictional character, but it might be a good idea not to pick too popular of one…if you’re a known Harry Potter fanatic, “Privet Drive” isn’t going to be very obscure if you’re answering as the title character.

Of course, you also have to remember which fictional character you’ve answered as for each website. The real point is, anything you can do to make your security question answers harder for someone else to guess (but still easy to remember yourself) can help prevent unauthorized access.