I’m in the middle of opening a bank account with KBC, and I’m both sadly amused and annoyed with them.
Let us start with their security verification questions when creating an account.
- What is your mother’s maiden name?
- What is your favourite colour?
- Where were you born?
Rather than rant, I shall quote the National Cyber Security Centre in the UK.
If your security question asks for a fixed piece of information, you should assume the attacker can guess the answer. Questions like ‘What is your mother’s maiden name?’ or ‘What is your postcode?’ are all easy to research, especially considering the widespread use of social media.
My security practice when encountering these types of question, is to use a password generator, usually in word mode rather than random string, to create a random answer – much like Horse Battery Staple, but not that phrase!
Except it turns out that the first UI should never have accepted spaces in the first case. When talking to KBC’s customer service, they said “oh, there are no spaces in the colour”. So KBC’s system had silently mutated the secret I provided, and did not tell me that it was mutating it!
Oh, and there’s the third problem – their staff can see my secrets in their entirety. I’m not sure a 0.2 percentage point discount on a mortgage is worth this hassle.
So far, I’d rate KBC about 1 out of 10.