Network World Magazine is running a story about Robert Thompson from AVG, who apparently had an Interesting Conversation with a Wachovia consumer security representative recently. As he details on his blog, after being asked the standard personal info questions to un-suspend his credit card, Wachovia then proceeded to ask him what *they* called "publically available information."
The jist of his post is while the jury's out on exactly where they got this info, he suspects somebody's mining the social networks. Honestly this doesn't shock me in any way. I think anybody who uses a social network without thinking that "personal" info will leak out has had their expectations incorrectly set. When an infosec person thinks their "personal" info on Facebook stands a prayer in hell of remaining personal...well, I gotta wonder...
ANYWAYs, that's not the interesting part, nor the reason for this post. What really tickles me is is this: How in god's name could a company ask you with a straight face to authenticate yourself by answering questions about publically available information?
Quick recap of multi-factor authentication for those who haven't gone to CISSP bootcamp yet:
Wachovia engineering has clearly developed an additional factor of authentication, which I am going to call "Negative One." So we can all clearly understand each other when we use this (pejorative) phrase, it's definition follows:
Here's to hoping that other financial institutions DO NOT start implementing Negative One factor authentication anytime soon.