There's a growing trend in web e-commerce sites to "improve" site security by adding a "secret question" to the identifying information for the user. It's well-intentioned, usually. But it's almost invariably poorly implemented.
You want me to be able to prove my identity by answering a "secret" question to which only I would know the answer? OK, fine. Then let me pick the question.
But this isn't what most sites do. They typically let you pick one question from a list of three to five. Sometimes, they pre-pick the question; you don't get a choice at all. ING Direct goes slightly better than the usual run of this; they provide a list of eight possible questions, from which you must pick and answer five. When called for, they will use one randomly-selected question from the five you chose.
The problem is that, invariably, most — if not all — of the questions offered for your selection are questions to which the truthful answer is a matter of public record. Your city of birth, for example, or that old standby beloved of banks and credit-card companies, your mother's maiden name. What's worse, in many cases, if you forget your password, you can gain access to your account by answering the secret question instead. So anyone who wishes to gain access to your account need only research the answers to those four or five most common "secret" questions — a much easier task than cracking or otherwise compromising your password, since the vast majority of users will answer those questions with the correct answer. The slightly more sophisticated user recognizes that to answer these non-secret "secret" questions with a truthful answer which can be readily found in public records is a security weakness, not a security measure, and so will provide false answers to the questions; but then there's the problem of remembering which false answer you supplied to which question on which site. And that means that either you develop a system of some kind (which could be as simple as, say, answering every "secret" question with "Madagascar"), or you write your answers down somewhere accessible. It's not hard to come up with a system. But the honest fact is, most security-unaware average users aren't going to even realize they need to do it.
The upshot of it is, the "secret question" tactic, as commonly implemented by 90% of web sites, does not improve security; it weakens it, sometimes drastically.
As noted above, there's an astoundingly simple measure for making the "secret question" gambit an actual, real security improvement: Let the user pick the question, as well as the answer, and disallow questions to which the answer is likely to be trivially available from public records.
So why don't more sites use it?
