I have a few bank accounts for my company (checking/investments/etc.) which each require different logins. That's fine.
However, the security questions for a business account are inextricably tied to an individual. Favorite animal? High school mascot? Where were you born?
These are all questions that are pretty easy to crack for an individual account, so they provide next to no added security. Furthermore, for a business account, they're just an added layer of frustration. When I took over the accounts, I had no idea how the previous president answered the questions, since they're all personal to him, not our company. Furthermore, when someone else at our company needs to access our accounts, they need to know the answer to my security questions... which are the same ones I have to use on my personal bank accounts!
In the end, it's so much of a pain to remember the answer to these questions that when I'm randomly asked to verify, I'm just as likely to call customer support and ask them to reset them. So what does this mean? I call customer support and give them
1. My name
2. My company's name
3. Our username
4. Our bank account name
5. Our tax ID number or the last 4 digits of the social-security number on the account.
...most of which would be pretty simple for a would-be attacker to obtain. And let's face it, corporate accounts at banks are much more likely to be the targets of individualized attacks, rather than random attacks over an array of accounts.
tl;dr: For business accounts, security questions actually decrease security.
....what kind of crack are you smoking? Can I have some?
So you called customer support to reset the password. You could call them whether or not there were personal security questions. Nothing changes.
OTOH the personal security questions ensure only one person can access the account (when attempting a normal login) instead of any employee at the business. Passwords might be shared but security questions probably wouldn't be (assuming only one person is accessing the account).
The questions are not intended to be impossible to crack. They're an additional data point to verify authenticity. The assumption is that you won't keep the name of your favorite animal next to your password (wherever it is that someone got your password from), thus it's an additional attack vector someone would have to account for. Not impossible, but adds difficulty.
tl;dr: added authentication prompts add to attack complexity, and you're on crack.
[p.s. you might want to change your bank account password and challenge questions when an employee who had it leaves. could be helpful.]
I have a few bank accounts for my company (checking/investments/etc.) which each require different logins. That's fine.
However, the security questions for a business account are inextricably tied to an individual. Favorite animal? High school mascot? Where were you born?
These are all questions that are pretty easy to crack for an individual account, so they provide next to no added security. Furthermore, for a business account, they're just an added layer of frustration. When I took over the accounts, I had no idea how the previous president answered the questions, since they're all personal to him, not our company. Furthermore, when someone else at our company needs to access our accounts, they need to know the answer to my security questions... which are the same ones I have to use on my personal bank accounts!
In the end, it's so much of a pain to remember the answer to these questions that when I'm randomly asked to verify, I'm just as likely to call customer support and ask them to reset them. So what does this mean? I call customer support and give them
1. My name 2. My company's name 3. Our username 4. Our bank account name 5. Our tax ID number or the last 4 digits of the social-security number on the account.
...most of which would be pretty simple for a would-be attacker to obtain. And let's face it, corporate accounts at banks are much more likely to be the targets of individualized attacks, rather than random attacks over an array of accounts.
tl;dr: For business accounts, security questions actually decrease security.