[Warning: This article contains personal opinions of the author.]
I was driving down the road today, listening to a local news station on the car radio. The newscaster was interviewing a so-called security "expert" about proposed legislation supposedly designed to prevent identity theft and credit card abuse. This "expert" claimed that we needed legislation to prevent access to birth records by "unauthorized" individuals. Sound familiar? Yes, we have heard and seen this song-and-dance act before. This guy wants to lock genealogists out of the records that we have used for the past century or so.
The so-called "expert" claimed that the Internet makes it too easy for someone to find your mother's maiden name, and that, of course, is the foundation of all security systems, right?
Let me press the button for that obnoxious sounding buzzer. BZZZZZ! Wrong answer!
The problem isn't easy access to your mother's maiden name; the real problem is dumb security systems that depend upon public domain information for so-called security. Hey, if it needs to be secure, can't you guys come up with a better key phrase that your mother's maiden name? Sheesh, even I can do better than that!
The only purpose for asking your mother's maiden name is to create a "passphrase" that you can remember in case the company ever needs to identify you in the future. In reality, it doesn't need to be your mother's maiden name. They could just as easily use your great-great-grandmother's maiden name or the name of your First Grade teacher or your favorite song or your pet's name or your gym locker number. The only requirement is that it is something that you will be able to recall instantly at any future date and that it is not known to others.
Any institution that uses the mother's maiden name as a "security tool" is really behind the times and needs to quickly hire a real security expert, not some yahoo who uses fuzzy thinking. Even novice security managers would immediately change that policy.
In the United States, mothers' maiden names and other personal information are available from numerous public sources. That information has always been in the public domain. The invention of the Internet did not really change anything. A mother's maiden name could easily be discovered fifty years ago, and the same is still true today. Anyone who uses a mother's maiden name for security purposes obviously doesn't know much about security.
I have refused to do business with a couple of companies that insisted upon using my mother's maiden name as a security identifier. I don't want to do business with any company with such a lame security policy. I advise you to do the same: boycott companies that have inadequate security policies.
However, if you really need to do business with a company that insists upon using your mother's maiden name for "security" purposes, please remember that you can always create a fictitious name on the spot. The bank doesn't care what name you give them; all they want is something to enter in the blank space on their form, something that you can recall later. They couldn't care less if it is the correct name or not. By using a fictitious name, your security will not be compromised by a Web site, by a minimum-wage employee at an insurance company, or by a criminal's surreptitious visit to the state Vital Records Department.
When I last created a new account and was asked for my mother's maiden name, I answered "Fudpucker."
I guarantee two things: (1.) I can remember that, and (2.) nobody is ever going to find that piece of information online unless they happen to read this article. The name of Fudpucker fits my needs perfectly as well as the needs of the company I was dealing with at the time. Oh, to be sure, I did get a strange look from the clerk filling out the form, but who cares? She wrote it down, and the name Fudpucker remains a part of that company's records. I do feel much more secure than I would feel if I had used the correct name.
I would suggest that you do the same. You can use the same funny name that I chose or some other name you can easily remember. It makes no difference. You might use the maiden name of some ancestress from 200 years ago. Will the company care? No. Will the criminal care? Yes! You just protected your privacy far better than any dumb piece of legislation restricting access to birth records can ever accomplish.
If an elected official or other bureaucrat tries to limit access to vital records, please feel free to send them a copy of this article. Tell them it's time to wake up and look at the real issues and to stop trying to protect a maiden name policy that is ineffective to begin with. Then vote against the politician in the next election. You don't want a backwards mentality like that in public office!
If you send a damned fool to Washington, and you don't tell them he's a damned fool, they'll never find out. -- Mark Twain, 1883
A smarter politician would sponsor a bill to make it illegal for a financial institution to use a mother's maiden name or any other piece of public domain information for security purposes. But, then again, when did you ever see a smarter politician?
Question: if it's an insurance company and you use a false name, does that give them an excuse to accuse/sue you for fraud? my parents were sued by blue cross because mom and the agent overlooked checking a box about trivial information. they lost their nest egg because of it (thanks to the unethical uses of the company's attorneys allowed by the unethical judge!)
thank you for replying!
Posted by: sue ellen hirtle | February 19, 2005 at 11:50 AM
This is so true. Like so many issues, people never see the big picture.
I love the newspaper for both current reading and historical research. Just this week, I picked up my local Sunday newspaper like always, and flipped to the Announcements page. Here I find a list of people who are getting married - many times with the full names of not only the bride and groom, but the full names of the parents, including the mother's maiden name.
On the same page, there happened to be a birth announcement - there are usually two or three each month. One included the full name of the baby, the birth date, the mother's full maiden name, and the father's full name. Obviously, these people were not concerned about the privacy of their names.
In another section of the paper, there are published obituaries, along with classified death announcements. In a recent research project, I obtained an obituary from 1979 in which I learned the maiden names of the deceased persons wife, and learned that he had two daughters who were married, each with their own children.
Don't let this scare you though. Keep printing all the birth, marriage, and death announcements in the paper. I would hate to run out of genealogy research material!
Posted by: Paul K. Graham | February 20, 2005 at 01:01 AM
I'm just delighted to see an article where you use a "No Bozos" button.
Rock on, Richard!
;-) Robert
Posted by: Robert Ragan | February 20, 2005 at 10:32 PM
I agreed whole heartedly with your comments that it is "stupid" of any institution to use your mother's maiden name for security purposes. This brings up the matter of people that have been customers of a bank or other financial institution for a very long time and before the increased problem of identity thief, the mother's maiden name was used and no one thought anything about giving the correct name. There have been a lot of articles written on identity thief but no one seems to have addressed the problem of how do you find out which institution is actually using your mother's maiden name and how do you go about getting it changed?
Posted by: Marilyn Eldridge | February 21, 2005 at 01:41 PM
Agree with your comments but you didn't discuss the sensitive issue of putting family history of living individuals on an insecure web site.
Some of my info came from cousins who do not want their family info easily accessible online. I freely share my info with cousins but have to insist they not put info about living people on insecure web pages. I've heard the "stupid" comment but the point is that we don't get to make decisions for those people who don't want their info easily accessible, regardless of their reasons.
Posted by: Jim Arnold | February 21, 2005 at 02:23 PM
Even the passphrases (favorite sports team, first pet, etc.) diminish security greatly and should not be used. If you lose your password, it SHOULD be hard to reset it. A thief or hacker shouldn't be able to guess 20 common pet names and get access to your account, rather than try to guess your secure password (which ideally should be a long combination of letters, numbers, and symbols if allowed).
A better way to deal with the passphrases, if they are absolutely required, is to enter a long string of gibberish into the field, and immediately forget it. Better for you to have to jump through some hoops to get access to your account after losing your password than to make it MUCH easier for someone else to get in.
Posted by: Gordon | February 21, 2005 at 02:29 PM
Genealogical information on our Barnett Surname DNA Project webpage has been somewhat diluted because of concerns of invasion of privacy and identity theft.
Just several years ago people loved to see their name in print and wanted their family information published, complete, correct and periodically updated. Not so, today.
We have several items/pages on our DNA website where we intentionally have not given complete or full information. Instead we substitute the word "living" for people's names. We have also replaced birthdates of living people with decades. Rather than using 1927 we use 1920+ for a year with no month or date. In other instances we do not even make an effort to list that a given person or newer generation exists. We just stop a couple generations back in a lineage or pedigree and list nothing or no one current.
Each of the people participating in the project have expressed our agreement we have no problem being identified. I, as administrator of the project, have refrained from identifying participants due to the concerns of other adminstrators and suggestions that personal identities not be published. Participants are identfied on our website as Participant #000 and Kit# 000.
A second reason we do not identify participants is so we can assure future participants we do not identify our participants.
It is really unfortunate times have changed. Our current public paranoia will be a hinderance to genealogical researchers in years to come when they go to find more information on "Living" Barnett, Smith or Jones.
Posted by: Mic Barnette | February 21, 2005 at 04:11 PM
I'm fortunate to live in Pennsylvania where the Bureau of Vital Statistics requires a photo identification to access vital records yet the Department of Revenue still uses the "mother's maiden name" and "your place of birth" as pass phrases to set up accounts to pay some taxes online. Hmmmmm. Maybe I'm not so fortunate....
Posted by: H Loftus | February 23, 2005 at 02:34 AM
I agree. This is another example of trying to solve a problem without a proper diagnosis. Talk about throwing out the baby with the bathwater....
Thanks for bringing to our attention that there are other options to avoid using this warn-out method of identification. It just stands to reason that many people could be savvy to out mother's maiden name - we really don't keep this a secret from friends, etc. It is important for us to be vigilant as our government does try to protect us from ourselves, sometimes to the point of greater harm. They will quickly look at the surface concern without considering other options. Thinking out of the box has never been their strong suit.
Posted by: Debbie | February 23, 2005 at 01:32 PM
Although I appreciate your efforts at exposing the nature of a MMN request and the reasons you feel the question is being asked I think you might like to hear my explanations about the reasons people are being asked THAT specific question especially when opening a file with a doctor or a hospital or when a judicial issue is being resolved. If you would really like to know the truth about the MMN request you can reach me at cactus@videotron.ca and I will tell you what I know. When I discovered what that was all about it made a lot of sense and it helped me understand exactly what was being sorted.
Perhaps you will let me hear from you on this. If you would like to read a bit more of my work you can read my piece called Hiroshima Before and After on Libertyforum.com, here is the URL:
http://www.libertyforum.org/showflat.php?Cat=&Board=news_history&Number=292989028&page=1&view=collapsed&sb=5&o=21&part=1
best regards
Roger Desjardins
Posted by: Roger Desjardins | June 28, 2007 at 08:19 PM