« Caching by the Numbers | Main | Banking Fun »

May 01, 2010

Weak Validation

I recently bumped into a wonderfully weak validation system again that reminded me of all the trouble it causes. It's a system that tries to identify you by asking questions only you should know. The questions however are only based on data that can be obtained in your credit report. It becomes a random set of 5 questions generated by their system in specific ways. The questions are presented as a multiple choice with 5 answers each I believe. They usually do a good job of creating incorrect answers that fit the same pattern as the correct answer and will add in a 'None of the above' sometimes as well, as both a correct and incorrect answer. I have noticed questions where there is obviously only one correct answer though. The first trouble is that even with a fairly good set of answer creation algorithms, it is not that difficult to guess correctly, especially if someone knows anything about you. The next trouble spot is the data the questions are based on. Generally the data in your credit report is put there by someone else and usually you don't look at it at all or very infrequently. From what I've seen the data often has errors in it. In addition, the organization name that may get inserted into the report may not match up with the trade name a consumer deals with. You might have noticed this on a credit card statement also. This is probably why the questions have been formatted as multiple choice. Finally, the questions also deal with the order of entries on the credit report. As I've noticed these are fairly random and unpredictable. A consumer would have a hard time answering these questions correctly without having the exact same credit report the questions are based on in front of them.

In my most recent experience I believe I answered 2 out of the 5 questions wrong as I either didn't know the correct answer or the correct answer was not present in the list (at least from my view, not my credit report view). My application was stopped at that point. So that brings me to the next flaw. I simply hit the back button in my web browser and up pops a new set of 5 questions, this time I can correctly answer or at least correctly guess for all of them and my application completes successfully.

Comments

Post A Comment




Remember me?






Created By: Steven Nikkel (steven_nikkel@ertyu.org)
This webpage and others materials are Copyright © 1997-2016 Steven Nikkel, All Rights Reserved
counter