The Great Security Question Hoax

Much of our identities are locked away in the ether. Kept safe in vapor pockets by banks and wireless providers with paper thin questions like, “What is your mother’s maiden name?”  We’ve all answered them, developing password fatigue as we try to remember our favorite sports team or if we used our grandfather’s given name or “Gampy.”

Some things are not that hard to figure out.  That Sarah Palin and her husband Todd met in high school was ferreted out by one such hacker just before her Yahoo mail became public knowledge.  Same with the name of Paris Hilton’s dog. Yep. Hacked.

A paper in Technology Review states, “researchers from Microsoft and Carnegie Mellon University plan [showed] that the secret questions…are woefully insecure.” Participants in a study were able to guess 30 percent and 57 percent of the correct answers of security questions asked in the top-five list of guesses. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name.

With all the insecurity, security questions are still used as an authenticator by key institutions as an extra security layer. Yet it’s an old-school (circa 1906) solution to a new-school problem in an age where Gampy’s name is one blog post away from a hacker’s cheeseburger in paradise.

Good security questions are hard to design as they need to be definitive, applicable, memorable and safe. If the question is too hard, it might be easily forgotten by the person who is being protected. In the study mentioned earlier, participants forgot 16 percent of the answers within three to six months.

— If the question is too easy, the world of hurt can be indescribably huge.

As a user, you could increase your own security by giving false random answers, calling the bank for a reset whenever you forget them. Still, it is a work-around for a system employed way too liberally by banks that know better.

Perhaps they do it to make customers feel like they are participating in their own security. And better systems, like sending new passwords by email, require hiring an extra person on the phone bank as customers need tech-support when they forget how to use these systems or when they lose auto-generated emails in their spam filters.

Password questions are still king as there is no viable alternative.  They reduce customer phone calls, giving companies incentive to keep status quo.  Still, finding the balance between customer convenience and protection from identity theft might be difficult. With much at stake, responsible corporations with our identities in their hands might consider titanium locks over vapor.


Getting the most out of your consultant

Tips for getting value from consultantsHiring one or many consultants for a large block of hours is an expensive proposition. It is important to have a plan in place in order to make sure that you are getting the desired value out of the resource. With a team in place, these concerns are multiplied. One of the biggest leaks we experience in onsite consulting is in the planning department.

The devil is in the details. It’s extremely important to have all of the logins to all of the resources prepared well prior to the consultant arriving onsite. On several occasions we’ve arrived ready to work only to find that we don’t have accounts to join the domain, access the wiki, source control, file share, or any way to get into the issue management software. In a typical organization there are quite a few logins that would be required for a programmer to access. Rarely is the domain account the only thing the programmer would need. Note, the consultant should make you very aware of all the things they are missing as soon as they get onsite and remind you of them if they are not retrieved. A good consultant knows that their time is valuable and is concerned when they are not able to produce due to some barrier. These barriers should be removed as quickly and efficiently as possible when they are presented.

A consultant should always have direction on more than one task. Tasks, by their nature, are completed. A good developer will constantly move on to the next one. If no additional tasks are provided and there is no contact available to provide another one then time and money will be exhausted. A good consultant will make an assumption and do something useful until direction can be given but ultimately efforts will be expended on items that are not the highest priority for the client.  Even on large tasks the programmer may encounter a roadblock or a question that needs to be answered, so it’s always best to have something else lined up in that event.

Communication is one of the biggest leaks in any company. However, we all recognize that it is a very important thing. Large conference calls or redundant meetings can increase the total timeline and bloat the budget needed to accomplish a project. Whomever is acting as the project manager should be instructed to think of calls and meetings in terms of money instead of time. Add up the hourly rate of all the resources that you believe need to attend and then multiple that times the time scheduled for the meeting. Thinking in these terms will ensure that only those consulting resources who add enough value will be added to the invite and otherwise be free to make progress on their tasks. Scheduling a meeting for 15 minutes instead of thirty, or thirty minutes instead of an hour, can make a big difference in the bottom line. It’s important to stick to the agenda and if the call has more than 5 people then it should be high-level and roadblocks only. It’s the project managers responsibility to direct attention back to the agenda items when resources dip below 30 thousand feet.

Read more in the second part in our series regarding Consultant billing and the things you need to know.

For more tips to come, subscribe to our rss feed or email notification