• PC World
• »Security

Stump the Hacker

Companies have realized the approach's weakness, and most have broadened their lists of questions. But devising questions that are general enough for everyone to answer yet specific enough to be easy to recall is a formidable task. Most people can name a favorite movie, but their answer to that question might change over time. So getting the answer right requires recalling such details as when you answered the question--which increases your chance of making an error. On the other hand, factoids such as the city of your birth, your mother's maiden name, or even your social security number may be public information.

"You need a question [that is] discernible if a million people see it for the first time," says Fisher. But some questions have become esoteric, he believes. "I see it as a situation in which banks have sacrificed some usability for better security."

"[Questions are] definitely getting weird," says James. "I just had one that was 'What was the name of your first pet?' but I had two dogs growing up, so I don't know."

Meanwhile, online social networks provide a wealth of information about individuals--including dates of birth, addresses, education histories, and personal tastes in books, movies, and the like--that crooks could tap.

Amir Orad of antifraud company Actimize doesn't expect that people will cease sharing personal information any time soon. "I think this trend is unstoppable. You're not going to change the behavior of 200 million Facebook and MySpace users." Orad thinks that banks and merchants must instead develop systems to detect fraudulent practices behind the scenes, much as credit companies today have devised ways to spot suspect purchases and notify customers.

Keep It Simple, Not Stupid

Simple steps can go a long way toward thwarting authentication fraud. Orad recommends that people not resort to using any information about their personal life that might be available online. "Anything you say can and will be used against you," he warns.

Also, you should steer online transactions toward businesses that offer more than just passwords and secret questions as protection. For example, PayPal offers a device that generates one-time passwords that you can use for secure log-ins, and Bank of America recently introduced a program that sends required PINs to customers' mobile phones via SMS.