Colin Anderson/Blend Images/Getty Images
The big IRS data breach last spring made clear that security questions aren’t secure. Yet that’s what many banks use to confirm your identity — which means your money could be at risk.
“What was your 1st pet’s name?”
In the IRS hack, criminals were able to successfully answer security questions in more than half their attempts to access tax return transcripts. The IRS initially said the transcripts of 110,000 taxpayers were stolen, but in August it revised that estimate to 330,000. The hackers answered questions that “typically only a taxpayer would know,” the IRS said, but that often included information from credit reports such as mortgage or car loan amounts.
Security experts have known for years that such questions offer little real protection, says security expert Avivah Litan, a vice president and distinguished analyst for Gartner Research. Multiple-choice answers from credit reports can be guessed or bought on the black market, while responses to questions like “What was your high school mascot?” or “What was your maternal grandmother’s first name?” can be gleaned from social media and sites like Ancestry.com.
To get a sense of where your credit stands, go to myBankrate to collect your credit report and score today, free and with no obligation.
Can you do the two-step?
A better option for confirming identity is known as “two-step authentication” or “two-factor authentication.” This requires a user to provide something she knows, such as a password, along with something she has, such as a one-time code texted to her cellphone. In some cases, users are provided with a small device to generate these codes.
Two-step authentication is now offered by a wide variety of sites, including email providers (Gmail, Outlook and Yahoo), backup services (Apple iCloud, Dropbox, Evernote) and even some gaming sites (Blizzard and Origin).
Banks have 2 left feet
Yet, many banks and financial services companies don’t offer this option. Some say they don’t want to inconvenience customers, while others say their fraud-detecting software provides enough protection.
Should you care? After all, federal rules limit your liability for unauthorized electronic transfers to $50 if you report the loss within 2 business days of discovering it.
Giving you an achy breaky heart
But you may be on the hook for $500 if you wait longer than 2 days and you could be liable for the entire loss if you don’t tell the bank within 60 days of when it sends you the statement showing the bogus transaction.
Here’s another twist: The relevant rule, called Regulation E, says the only factor that affects your liability for fraudulent electronic transactions is how promptly you report the theft. Some banks, though, tell customers they may be on the hook for any losses if they share their password credentials with outside services, such as budgeting or tax sites, says independent journalist and security expert Bob Sullivan, author of “Stop Getting Ripped Off.”
“I really doubt a bank would win if they tried to make a consumer liable because the password was stolen from a third party,” Sullivan said. “But frankly I wouldn’t want to be the test case.”
Do a twist to thwart scammers
Given the uncertainties of how well your bank is protecting you, it can make sense to put extra security layers of your own into place. That could mean one or both of the following:
- Enabling 2-step authentication or switching to financial institutions that offer it.
- Choosing hard-to-guess or nonsensical answers to security questions (such as “rutabaga” in answer to “What’s your high school mascot?”).
Protecting yourself requires extra effort, Litan noted, but he said it’s always better to prevent someone from breaking in than it is to fight to get your money back.
Get your credit report and score today, free and with no obligation, at myBankrate.