Hiding Your Mother’s Maiden Name

An article was recently posted to the Archivists and Archives mailing list1 : WTF: Why Are Vermont’s Vital Records on Ancestry.com? The article talks about how and why all Vermont vital records from 1908 to 2008 became available on Ancestry. This raises the spectre of cybercriminals stealing your identity or emptying your bank account because banks still use your mother’s maiden name as a secret to authenticate who you are.

In my years as a genealogist, I have occasionally received requests from living people who are in my published family trees to remove their names and the names of their parents or grandparents. My genealogy privacy policy details how I will address these requests as they are received.  As far as I can tell, all these requests have come from people who are concerned about the security posture of banks that use your mother’s maiden name as an authenticator.

Published genealogies are a good source of mother’s maiden names, although it is very easy for an identity thief to find them elsewhere.

Identity theft and financial fraud are a serious problem. Trying to hide your basic genealogical information is not a solution. There are things that you can, and should do to reduce your risk of identity theft via your mother’s maiden name.

How this Problem Began

A long time ago, before the Internet was even a gleam in Al Gore’s eye, banks started to offer banking services over the telephone. Before that, you would have to walk into a bank branch to conduct business. If the bank teller did not recognize you, they could ask to see a form of identification. When communicating with bank staff over the telephone, they have no way to authenticate your identity. You might know your account number, but someone else might have found a bank statement for your account. Somebody had the foresight to realize that it was necessary to have an authentication code, a shared secret that only you and the bank  would know.

As with most authentication and protection schemes, the weakest link is the individual who has the most at stake if the secret is compromised. The banks wanted to make it as simple as possible, so instead of asking you to select something unique and difficult to guess, they decided to use your mother’s maiden name. Almost everyone has one, almost everyone knows what it is, and it is easy to remember. I don’t know what the protocol is when your mother does not have a maiden name or you don’t know it. Perhaps in those cases, the bank asks you to do the right thing and make one up. However, use of “Mother’s Maiden Name” has become a banking standard.

So your bank — the business entity in your life that should be the most security-conscious, has chosen a well-known, easy to discover, easy to guess name as the password to authenticate your identity. It was a bad idea in the 1950’s when weddings were announced in the local newspapers. It is a disaster today.

Why has this not been fixed a long time ago? I can only speculate that banks are more cost averse than they are risk averse. Changing from using your mother’s maiden name to a unique pass phrase would involve large amounts of staff time, a significant amount of documentation and some inconvenience to their clients. Banks want to make the account opening process as quick and painless (to you and themselves) as possible. Someone decided that your mothe’s maiden was “good enough.” When the actual cost to the banks from fraud and identity theft exceeds their perceived cost of doing things securely, they will change their procedures.

What Should Be Happening at the Bank

When you open a bank account for the first time, you should be asked to select a pass phrase that only you know, that can’t be guessed, that contains no personal information about your family, your pets, your home or anything else that can be learned about you without ransacking your home. It is a pass phrase. If you need to write it down, write it down. Make several copies and put them into small tamper-proof envelopes. The bank should provide these as a courtesy when you open a new account. If you can remember the passphrase without writing it down, it probably is not a very good pass phrase. Also, you have no idea how good your memory will be in the future. Write it down, keep it in several safe places.

What You Should Do

You could spend the rest of your life trying to remove yourself from the genealogical record. You would have to subscribe to every online genealogy provider in the world, and you would have to search fairly frequently because new genealogies get published all the time, sometimes with data pulled from existing genealogies, sometimes with data that is researched in primary and secondary sources. You would have to set up automated searches on all the major search engines to find sites that are published independently. Every time you found yourself, or your mother’s family, you would have to try to find the person who manages that online genealogy, ask them nicely to remove yourself and your siblings and your mother and your maternal grandmother from their site or database. In most cases, your request will not get through to the person who could do this, even if they were willing to do so. Such a request would damage the research results that they and other genealogists have conducted. In most cases, the standard is that living persons are “privatized” to some degree. For example, I would be shown as <Living> Jenson in an online genealogy, until I died (and the site manager was aware of this fact). However, even if you have a legal right to privacy where you live, that right ends with your death. Your deceased ancestors do not have a right to privacy. So your mother’s maiden name would still be out there.

There is no way that you can reduce your risk of having your identity stolen by trying to change the genealogical record. There are too many genealogists and too many public records from which it can be derived. Don’t waste your time trying.

Instead, contact your bank, and change your mother’s maiden name in their records. If your bank won’t let you do this, it is time to select a new bank. Seriously. They should ask you to come to a branch office, show your identification, and then change it for you in person. I would be very surprised if you will have to jump through that much of a hoop. Change it for your minor children, elderly parents and anyone else for whom you are the custodian of the finances for. Tell your spouse, siblings, partner, friends to do the same thing. If nobody used their real mother’s maiden name, the hackers would not have such an easy target. Some of them would surely go to find some other line of entertainment.

Change “your mother’s maiden name” to a strong password or passphrase. Whatever you select, it should be:

  • Unique
    Never use the same password or pass phrase that you use on other accounts. You have heard this before with online passwords.  The same is true for banks and other financial accounts. You can create a different “mother’s maiden name” for each bank that you do business with. They won’t be comparing notes. This is not something that gets reported to or referenced by the Credit Reporting Agencies. It really is just an authentication password.
  • Unguessable
    Pick something that can’t be guessed by someone who knows you, or your past very well. Pick something that can’t be guessed by reading your web pages or your social network sites. Pick something completely random and unrelated to you or your family.
  • Unusual
    Make a spelling error in your password or insert a bit of nonsense in your pass phrase. You should have to spell it out to the person at the bank.

I am not going to get into how to select a strong password that is comparable to a strong password for an online account. For example, you don’t need to pick a password that is 20 characters or longer with a mixture of upper case, lower case, numerals and special characters as your bank authentication password … unless … it will be used to authenticate to a computer system. My assumption is that we are talking about a password that will be used over the telephone or in an online chat when speaking with a human being, in order to prove that you are yourself. The standard here is that it be something that can’t be guessed by someone trying to impersonate you or authorize actions on your behalf.

What Next?

Once you have take care of this vulnerability in your banking and financial services accounts, then you can go back to doing your genealogy research!

Other Voices on This Topic

  1. The mailing list is a Google Group. You need to be logged in to Google to access via this link

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.