Would you use your date of birth as a password? Get real. So why do insurance companies do it?
Is your birthday on Facebook? So why do you have to use date of birth to confirm your identity with retailers?
Many organisations use date of birth to help verify identity of account holders on the telephone. Typically callers are asked for name, date of birth, first line of address and postcode. But that information is easy to get hold of, it may even be in the public domain, for example social media websites are littered with references to birthdays, birthday wishes, birthday photos and birthday parties. There is also a network of people who know your birthday, friends and family, colleagues at work. Date of birth is on every form you ever fill in.
In addition, date of birth is not a unique identifier and neither is name. There are examples of people with the same name and date of birth in the same town with the expected result that their optician records etc get muddled. I recall a colleague who used to receive the bank statements for a doppelganger regularly, despite complaints, and we have to assume that the doppelganger received his bank statements in turn. In a Capgemini paper the writer uses the Birthday Paradox (the amazingly low number of people you have to put in a room together to find two that share a birthday – 23!) to work out that you only need 579 people to get a 99% certainty that two will share name and birth date.
Little wonder then that banks have been required to introduce two factor authentication. Consider for a moment whether your organisation uses date of birth as an identifier. Call centres traditionally rely on it. The problem being that consumers have trouble remembering passwords or the length of time they have been a customer/tenant/person insured with us or approximately how much they pay in premiums or rent etc. Another concern is that family members will often present themselves on behalf of elderly, deaf or non-English speaking relatives to help smooth transactions along. Family members are very likely to remember dates of birth of other family members. It is at least worth raising the question with the call centre manager and consider whether alternative methods of confirming identity can be used and how elderly, deaf and non-English speaking customers can be helped without requiring a full Power of Attorney to nominate a representative. Why not just include the question on the application form, just below date of birth?
Another aspect of the birthday paradox is that big data projects involving data matching are likely to give incorrect results. Is that recognised in the boardroom when such projects are suggested, recommended and applauded as giving huge insights into the behaviour/profile of our database?
Taking a risk based approach means we need to move away from reliance on date of birth as an identifier. Let’s do that.
Mandy P Webster, Data Protection Consultant