Diversions June 4, 2015

Secret Questions Can Be Easy to Break

Personal knowledge questions may defeat their own actual purpose of maintaining account security.
Reported by

Personal knowledge questions (a/k/a “secret questions” or “challenge questions,” among other names) are supposed to help protect your online information and accounts. The theory is that the answers to these questions stay in your head (and nobody else’s) longer than passwords.

But a recent study, “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google,” reveals that these questions may in fact be weak safeguards. Taking a deep dive into how and why people choose the answers they choose—and how well they recall their own answers—two researchers at Google examined the first large real-world data set on the security and memorability of personal knowledge questions from their use at Google.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

Attacks against secret questions are a real risk for a host of reasons. First, many users share common answers. In a single guess, an attacker stands a 19.7% chance of guessing English-speaking users’ answers for the question “Favorite food?” Also with a single guess, an attacker has a 3.8% chance at guessing Spanish-speaking users’ answers for “Father’s middle name?”

Questions that are more secure have worse recall than unsafe questions: their answers are simply harder to remember. For the English-speaking population, the question “Father’s middle name?” had a success rate of 76% overall; the potentially safer question—because it would be harder to guess correctly— “First phone number?” had a 55% recall. And the potentially safest questions of all have abysmal recall: “Library card number?” has a 22% recall and “Frequent flyer number?” has only a 9% recall.

The harder to remember, the worse the recall for a security question to get the password prompt from a website login. So choose “father’s middle name”—not “frequent flyer number.”

Among the findings:

  • The ability to remember an answer decreases significantly over time. The success rate for “Favorite food?” was 74% after a month, but dipped to 53% after three months. A year later, it was barely 47%.
  • Questions that are supposedly more secure because of the expectation that each user has a different answer can fail because people sometimes deliberately provide untruthful answers. They give untruthful answers to secret questions either to make the answer harder to guess (37% of the 1,500 respondents) or easier to remember (15%). Ironically, it does neither.
  • Nearly all questions are potentially vulnerable to trawling attacks, where an attacker makes a few guesses of common answers for a large number of accounts in hopes of compromising a significant number of random accounts.
Client Service June 3, 2015

PSNC 2015: NQDC Plan Trends and Challenges

It’s an employee benefits topic that gets less press and touches relatively few people, but employers have a lot to gain by offering nonqualified deferred compensation plans.
Reported by

Speaking at the 2015 PLANSPONSOR National Conference in Chicago, two experienced plan design experts suggested that more education for executives and key employees would lead to greater use of nonqualified deferred compensation (NQDC) plans.

According to Jeff Roberts, product consultant for executive deferred compensation at ADP, current participation among eligible executives and key employees in these plans is a bleak 43%. It is a stat Robert Kieckhefer, managing director of the Kieckhefer Group, has also seen, and one he feels can be vastly improved with a concerted educational effort from plan sponsors and their advisers.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

“Participation rates have always been a major challenge for nonqualified deferred compensation plans,” Roberts noted. “One thing that can help a lot to increase the number of executives and key employees using the NQDC plan is to just offer more education about the benefit. Getting someone from your own company to talk about how the benefit has worked for [him] can be hugely impactful.”

Kieckhefer suggested that getting an internal executive to talk about his positive experience deferring money into the plan will go a long way toward convincing other executives to at least consider directing compensation into the plan. Another way to improve participation is to make the case that the NQDC plan is not just a bonus or an extra benefit available for a company’s top employees—it will be a critical part of any highly compensated employees’ effort to improve their income replacement in retirement.

“I’ve seen research that suggests executives actively using NQDC plans anticipate fully 26% of their lifetime retirement income to be generated by the plan,” Roberts said. “In that sense, non-participation means missing out on more than a quarter of potential retirement income.”

Kieckhefer noted that plan sponsors can improve their own standing within a company by offering an NQDC plan to their firm’s leadership—and by effectively communicating the ability of the plans to help executives take control of their income taxes.

NEXT: A warning

 

 

 

“The best day to talk about them is April 15,” he said. “They just lost their breath and half of their annual income paying taxes. If they understand the benefits of deferral and carefully consider how they’ll put money into the plan and how they’ll take it out, you can eliminate much of the tax that is going to be paid.”

Roberts observed that, currently, only about four in 10 companies offering an NQDC plan to executives and key employees pay a match contribution into the plan. “I suspect that if that number were to go up, we would also see an increase in participation rates.”

One warning shared by both Roberts and Kieckhefer is that, while plan sponsors can gain a major reputational bump in their company by helping executives understand and leverage NQDCs, making a mistake in this area can be “a career-limiting experience.” This is especially true when it comes to choosing the recordkeeper for the NQDC plan—a party that has critical responsibility for the tax-efficient functioning of these plans.

“For NQDC plans, the rubber really meets the road with the recordkeeper and its ability to effectively time the movement of money and the release of distributions,” Kieckhefer explained. “There are absolutely huge tax implications that come along with mistakes in this area.”

As Roberts noted, “This is not 401(k) recordkeeping, so you must take care when selecting the recordkeeper.” (One resource in this area is the PLANSPONSOR NQDC Buyer’s Guide.)

“Administering an NQDC plan is very different, from the recordkeeping perspective, than running a qualified defined contribution plan,” he said. “If you can’t get specific information about [the provider’s] past experience doing this—setting the distributions and ensuring money is moving out of the plan in a tax-efficient way—that’s a problem.”

Other thoughts on NQDC plan trends and challenges shared by the panelists included the insight that these plans are not only for executives. Roberts pointed to a handful of clients that have set up NQDC plans as a means to improve key employee loyalty.

“I’ve worked with high-tech software companies recently, for example, where there is really strong competition for talent among the companies in the space,” he said. “You don’t have to limit this just to executives—hard to recruit groups can be included.”

 

 

«