June 16, 2007

Mother’s Maiden Name is Bad Security

Category: Citbank,Security,Tech — Biella @ 6:23 am

So one of the (many) sucky things about having a parent with alzheimers is that someone usually has to take complete responsibility over their financial affairs. That person happens to me and the transition, I have to say, has not been all that smooth nor easy.

Manging less than 20,000 per year while a graduate student was somewhat manageable. Taking care of my mom’s finances, bills, expenses, bank accounts, insurance etc. on top of mine, and largely doing this long distance, has been a whole other (difficult) ball game.

To try to make things easier, I chose to use Citibank as I also have a joint account with my mother with them in PR. Well, life has not been made easier by this but, in fact, has been made harder.

In a nutshell, the problem is I can’t LINK nor even transfer money, between my US based Citibank and my PR based Citibank, which is somewhat ironic (and imho, really messed up) because one can transfer money from a non-Citibank bank into a Citibank account (which means, soon I will no longer have a Citibank account).

Why? Aside from the fact that PR always seems to get short changed, I had a conversation on the a very nice customer service person who let me know that there is just a lot of fraud between Puerto Rico and the United States. And one way they keep it in check is by disallowing links (and even one time transfers) between Citibanks in PR and US.

Now, I can’t speak completely to the cause of the high prevalence of fraud but I am sure that their “security” practices don’t help, for in fact, like many banks, their security is especially insecure, particularly vulnerable in Puerto Rico and all of Latin America. And the security hole has to do with a cultural practice.

In a nut shell, the main security question you are asked on the phone when you call in is your mother’s maiden name. Now in the United States (and I think Canada), your maiden name is may not be all that common of knowledge. But in Puerto Rico, it is *super-duper* common knowledge. Not only do people just know this, but it is printed everywhere, like your license.

So Citibank:, perhaps one reason driving the high level of fraud is bad bad bad bad security.

I have tried to let customer service know of this problem but outsourced Indian labor just does not get my explanation (I don’t think there are scripted computer answers for my concerns) and those who get it, don’t seem to do anything about it.

What will it take to change this?


  1. Like you were considering doing, many folks seem to create one-off website/blogs for a cause– consumerist, glasseyeye, etc. It seem to pickup steam as soon as the local press ‘finds’ it. I’m sure if you ask any FLOSS person about the security of credit cards vs computers, they can easily say that computer security is an order of magnitude better than credit card security. pre-texting, using easily know facts — name, ss#, maiden name, addess with no check done for purchases (in most cases), no signature checks (not that it would matter), online transaction that have little checks(in most cases), etc. And how the credit cards cos and credit check cos don’t seem to make it easy to get any bad data fixed and it takes your time and money to do it. I’m sure any phil zimmerman or bruce schnierder could figure out some thing better in about the time it takes to crack CSS or HDdvd drm ;-)

    Comment by Kevin Mark — June 16, 2007 @ 7:29 pm

  2. Whenever I am asked for “Mother’s Maiden Name” as a security question I choose to interpret the question entirely differently, but in a way that is known and understood to me personally.

    So the answer I put down is not even *close* to what my mother’s maiden name is, but when I they ask me for my “Mother’s Maiden Name” on the phone I can provide the answer that they expect.

    Even outside of PR the information is easily discoverable, if not actually common knowledge, so morphing that question into something different is a useful technique for everyone, not just people with Puerto-Rican connections.


    Comment by Andrew McMillan — June 18, 2007 @ 8:05 am

  3. [...] many mother’s maiden names, favourite teachers and friend’s phone numbers do I have? I’m sure I’m at well up [...]

    Pingback by Andrew McMillan: Storing Secrets « Newslifesite's Blog — September 3, 2009 @ 8:01 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags):
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> .