## Date of Birth Should NOT Be a Security Question

Using a person’s date of birth as a security question can have the opposite effect: it can be a huge security flaw.

I am puzzled as to why a bank is asking me to login with a password and also asking me for my date of birth (NAD). Then the bank (or maybe not) calls with stupid conversations like this:

Telephone: Can I speak to Mr. Kendall

Me: Mr. Kendall speaks

Telephone: Before we continue, can you tell me your date of birth and zip code, please

Me: Who are you?

Telephone: I can’t tell you unless you tell me your date of birth and zip code

Me: What is it about?

Telephone: It is a confidential matter. I have to clear security before I tell you anything. I need your date of birth and zip code

Me (in a cautious, safety-conscious frame of mind): Touch the two

The inference is that if I know someone else’s date of birth and zip code, I can pass their security checks.

Your date of birth is probably the easiest “confidential” information out there to find out, but so many financial companies use it as a security question. Why link so many records to a DOB?

What about this (totally fictitious) scenario. Fred doesn’t really exist and he’s lucky he doesn’t.

I was driving home and saw a house around the corner with a big sign saying, “Happy Birthday Fred – 40 today.”

It seems pretty harmless at first glance, but it’s enough to cause several problems for Fred. Now I know that someone named Fred lives in this house. I know the zip code. I noticed the license plate of his car. If Fred is 40 today, it doesn’t take much math to determine his date of birth.

Once home, it doesn’t take long to find Fred online; There are tons of free business resources out there and I can find Fred’s full name by his date of birth and zip code. I can find him on Facebook, yes, birthday matches; Now I have pictures of him and know his family names and pet names, lots of nice password fodder. From Twitter I know his movements and I even find out that tomorrow he is leaving for a weekend family vacation. From LinkedIn I know his work and his previous studies. I know when he moved into his house, how much he paid for it, and what it’s worth now. From Google Maps I know there is a pool in the back garden.

It only took me 10 minutes to figure this all out. I haven’t done anything illegal so far. No phishing, no lies, no hacking, no paid searches, no going through their trash. I have enough information to write a book about Fred, and it’s all publicly available thanks, in general, to financial institutions, government, and social media; but perhaps especially to Fred, who unwittingly gives away too much information.

All he needed was his date of birth.

But is this Fred’s fault? You surely have the right to share your birthday date with friends and acquaintances. It’s the banks and other financial institutions that should use some other identifier that people don’t need—or even want—to share publicly.

