Mother's maiden name

The San Francisco Chronicle has an interesting article about a woman who tracked down her identity thief, chased her, and got her arrested.[1] Unfortunately, the thief, who had been on probation when the incident occurred, was only given probation (and “time served”) as punishment.

The article provides advice at the end, most of which is pretty obvious, and which we should already know:

10 ways to avoid identity theft

1. Keep your Social Security card in a secure place, and give out the number only when necessary. Ask to use other identifiers whenever possible.
2. Guard your purse or wallet. Never put either one down unless your hand is connected to it.
3. Limit the number of checks and debit/credit cards you carry to only what you will actually need.
4. Check credit card and bank statements carefully for unauthorized charges.
5. Close credit card accounts you don't use on a regular basis.
6. Shred all documents containing personal information — especially preapproved credit card offers — with a cross-cut shredder.
7. Before revealing any identifying information, ask how it will be used and secured, and whether it will be shared with others.
8. Order copies of your free credit reports from the three credit bureaus at least once a year, and check them carefully for accuracy. (See numbers below.)
9. Place passwords on credit card, bank and phone accounts. Avoid using easily available information such as mother's maiden name, birth date, phone number, etc. Instead use an eight-character combination of letters and numbers.
10. Use a locked mailbox or a post office box to send and receive mail.

It's item 9 that I want to focus on here, because it's not so obvious and is widely violated... and, in fact, many companies ask you to violate it (or even demand that you do). Consider this: You set up your bank account online with a password. You pick a Really Good password, too, not something like “qwerty123” or the model of your car. Maybe your password is “Frkm$wLD9@qq2jM”. Yowza! And then they ask you, for “security purposes”, to give them your mother's maiden name. That way, if you forget that great password you selected, not to worry: just phone them, give them mama's maiden name, and they'll sort you out, kein Problem.

What it amounts to is that “Johnson”[2] is now a second — and far inferior — password associated with your bank account. This is a sub-optimal situation.[3] For one thing, mom's maiden name is a very poor password to start with, and for another, it's information that someone looking to steal your bank account information (or contents) could look up.

Now, many institutions are changing how they handle this, asking a series of questions (of which “What's your mother's maiden name?” might be only one). The list of questions at some sites includes things like “What was your first pet's name?”, “What was the name of your high school?”, and “Who is your favourite singer?”, making the process of convincing a human that you are who you say you are like a game of Twenty Questions. Even so, it should be clear that the more one knows about you, the easier it might be to learn more. Figuring out where you went to high school and following you around a record store might yield access to your finances.

What might not be obvious, though, even with the maiden name thing, is that you don't have to tell them the truth. It's a password. So when you hear, “What's your mother's maiden name?”, mentally turn that into, “Please give me an alternative password for your account, in case you forget the other one.” And instead of saying, “Johnson”, say something like, “Jules Verne, green cheese”.[4] Yeah, they'll probably respond, “Say what?”, but just insist on it and make them put it in their records.

Just make sure you do pick something you'll remember later, or else you might wind up looking pretty silly.
 

---

[1] Hat tip: Pharyngula

[2] Uh, what do you think? No, it's not.

[3] It sucks.

[4] You really get extra points if you understand this reference.