Electronic Services: Is a Customer’s Mother’s Maiden Name Still an Appropriate Security Question?

Electronic services entered our lives with technological developments, began with the phone first, continued to be provided via the internet and mobile devices, and replaced the services provided face to face in many areas in the last 20 years. After the COVID-19 pandemic, the rate of customers’ use of electronic services increased rapidly.

The most challenging aspect of electronic services is to verify customer identity. To this end, the customer’s mother’s maiden name has been used for many years as an identity verification question, especially by banks.

Although banks have left this practice, some other electronic service providers continue to use it. However, does this question still serve the purpose? Is it secure enough?

Why Has Mother’s Maiden Name Become a Security Question?

In terms of a married woman’s surname, the former Turkish Civil Code of 1926 (“FTCC”) stated that “The wife shall bear the family name of her husband.” (Article 153(1) of the FTCC). Thus, by getting married, a woman had to leave her maiden name and use only her husband’s family name.

Therefore, nobody knew the woman’s maiden name except for close family members unless the woman started using her maiden name again due to a divorce (Article 141 of the FTCC). So, electronic service providers could use a person’s mother’s maiden name as a security question.

What Has Changed?

In 1997, the legislator repealed the rule envisaging that the married woman should leave her maiden name. It amended Article 153(1) of the FTCC as follows: “The woman by getting married shall take her husband’s surname; however, she can use her maiden name together with her husband’s surname upon her written application to the marriage officer [during the marriage application] or the civil register later. ….” (Article 1 of Law No. 4248). Thus, women gained the right to use their maiden names along with their husband’s surname, depending on their choice to leave their maiden names upon getting married.

As a result, women’s maiden names, who enjoyed this right were no longer a secret, and their children bore the risk of unauthorized access to their customer accounts for electronic services.

What Is the Current State?

The new Turkish Civil Code (“TCC”) of 2001 preserved verbatim the married women’s right to use their maiden names, in line with the 1997 amendment to the FTCC. As per Article 187 of the TCC, The woman by getting married shall take her husband’s surname; however, she can use her maiden name together with her husband’s surname upon her written application to the marriage officer [during the marriage application] or the civil register later. ….”

Moreover, in line with the European Court of Human Rights judgments, particular Constitutional Court and Supreme Court judgments allowed the married woman to have the second surname she took by getting married, revoked, and use her maiden name only.

The risks arising from using mothers’ maiden names as an identity verification question for electronic services stayed current in this context.

The sector that most effectively eliminated these risks was banking, with the effect of both being a regulated and audited sector and the regulations made by the European Union on financial services. The Regulation on the Banks’ Information Systems and Electronic Banking Services (“Regulation”) provides detailed rules on how to perform identity verification in electronic banking services and how to ensure transaction security (Article 34 of the Regulation). The Regulation also clearly states that the electronic banking services cannot use the customer’s mother’s maiden name for identity verification purposes (Article 34(10) of the Regulation)!

Likewise, there are similar approaches in the electronic commerce sector. The Communiqué on the Trust Marks in the Electronic Commerce (“Communiqué”) grants service providers, who comply with specific security standards, the right to apply for a trust mark, which distinguishes them from other service providers who do not employ these minimum standards. However, since this application is optional, the Communiqué is not as strong as the Regulation.

As for the most up-to-date approach globally, we see that certain states have practices and studies to create blockchain-based digital identities and use these identities in all electronic services. Though, one should note that these practices are controversial in terms of fundamental rights and freedoms.

What Could Be Done?

Regulations like in the banking sector are significantly beneficial. However, as these regulations only cover a specific industry, companies that are not covered provide customer security as per their systems. For instance, even today, some private pension companies continue to use the mother’s maiden name as an identity verification question!

Nevertheless, increasing customer security will reduce the chances of legal disputes between the customer and electronic service providers, the customer and third parties, or electronic service providers and third parties. Therefore, non-banking sectors should also establish similar customer and transaction security applications and quit outdated ones, and customers should as well do their homework on security in selecting electronic services providers!

Av. Müge Önal Başer, LL.M.

 

References

  1. This blog post is published on https://turkishlawblog.com/read/article/276/electronic-services-is-a-customer-s-mother-s-maiden-name-still-an-appropriate-security-questiong.
  2. Annulled Turkish Civil Code No. 743 published in the Official Journal dated 04 April 1926 and numbered 339.
  3. Law No. 4248 on the Amendment of the First Paragraph of Article 153 of the Turkish Civil Code, published in the Official Journal dated 22 May 1997 and numbered 22996.
  4. Turkish Civil Code No. 4721 published in the Official Journal dated 08 December 2001 and numbered 24607.
  5. Regulation on the Banks’ Information Systems and Electronic Banking Services, published in the Official Journal dated 15 March 2020 and numbered 31069.
  6. Communiqué on the Trust Marks in the Electronic Commerce, published in the Official Journal dated 06 June 2017 and numbered 30088.
  7. Relevant Constitutional Court Individual Application Judgments: 1st Division, 19 December 2013, Application No. 2013/2187; 1st Division, 06 March 2014, Application No. 2013/4439; 2nd Division, 16 April 2015, Application No. 2014/5836, https://www.lexpera.com.tr/ (last visited 17 March 2021).
  8. Relevant Supreme Court Judgments: General Assembly of Civil Law Chambers, 30 September 2015, E. 2014/889 K. 2015/2011; 2nd Civil Law Chamber, 12 February 2016, E. 2015/21685 K. 2016/2321; 2nd Civil Law Chamber, 23 February 2016, E. 2015/20964 K. 2016/3188; 2nd Civil Law Chamber, 02 March 2016, E. 2015/24244 K. 2016/3893; 2nd Civil Law Chamber, 16 November 2017, E. 2016/22056 K. 2017/12849, https://www.lexpera.com.tr/ (last visited 17 March 2021).
  9. Akıntürk, Turgut/Ateş, Derya: Türk Medenî Hukuku, V. 2, Aile Hukuku, İstanbul 2016.
  10. Açıkgöz, Osman: “Kişisel Verilerin Hukuka Aykırı Şekilde Elde Edilmesi ve İnternet Bankacılığında Kullanılması Sonucu Malvarlığı Zarara Uğratılan Bankaya Karşı Mevduat Sahibinin Hukuki Sorumluluğu,” Marmara Üniversitesi Hukuk Fakültesi Hukuk Araştırmaları Dergisi 2016, V. 22, I. 1, p. 389-432.
  11. Çelebi, Özgün: “Toplumsal Cinsiyet Eşitliği Bağlamında Kadının Soyadı ve Soyadının Çocuğa Aktarımı,” Galatasaray Üniversitesi Hukuk Fakültesi Dergisi 2019, I. 2, p. 537-614.
  12. Meral, Yurdagül: “Açık Bankacılığa Geçiş ve Avrupa Birliği Ödeme Hizmetleri Kurallarının (PSD2) Rolü,” Türkiye Bankalar Birliği Bankacılar Dergisi 2019, V. 30, I. 110, p. 25-36.
  13. Yusufoğlu Bilgin, Fülürya: “Blokzincir Teknolojisinin Bitcoin Dışında Bazı Uygulama Alanları,” Gelişen Teknolojiler ve Hukuk I: Blokzincir, İstanbul 2020, p. 73-111.