Electronic services entered our lives with technological developments, began with the phone first, continued to be provided via the internet and mobile devices, and replaced the services provided face to face in many areas in the last 20 years. After the COVID-19 pandemic, the rate of customers’ use of electronic services increased rapidly.
The most challenging aspect of electronic services is to verify customer identity. To this end, the customer’s mother’s maiden name has been used for many years as an identity verification question, especially by banks.
Although banks have left this practice, some other electronic service providers continue to use it. However, does this question still serve the purpose? Is it secure enough?
Why Has Mother’s Maiden Name Become a Security Question?
In terms of a married woman’s surname, the former Turkish Civil Code of 1926 (“FTCC”) stated that “The wife shall bear the family name of her husband.” (Article 153(1) of the FTCC). Thus, by getting married, a woman had to leave her maiden name and use only her husband’s family name.
Therefore, nobody knew the woman’s maiden name except for close family members unless the woman started using her maiden name again due to a divorce (Article 141 of the FTCC). So, electronic service providers could use a person’s mother’s maiden name as a security question.
What Has Changed?
In 1997, the legislator repealed the rule envisaging that the married woman should leave her maiden name. It amended Article 153(1) of the FTCC as follows: “The woman by getting married shall take her husband’s surname; however, she can use her maiden name together with her husband’s surname upon her written application to the marriage officer [during the marriage application] or the civil register later. ….” (Article 1 of Law No. 4248). Thus, women gained the right to use their maiden names along with their husband’s surname, depending on their choice to leave their maiden names upon getting married.
As a result, women’s maiden names, who enjoyed this right were no longer a secret, and their children bore the risk of unauthorized access to their customer accounts for electronic services.
What Is the Current State?
The new Turkish Civil Code (“TCC”) of 2001 preserved verbatim the married women’s right to use their maiden names, in line with the 1997 amendment to the FTCC. As per Article 187 of the TCC, “The woman by getting married shall take her husband’s surname; however, she can use her maiden name together with her husband’s surname upon her written application to the marriage officer [during the marriage application] or the civil register later. ….”
Moreover, in line with the European Court of Human Rights judgments, particular Constitutional Court and Supreme Court judgments allowed the married woman to have the second surname she took by getting married, revoked, and use her maiden name only.
The risks arising from using mothers’ maiden names as an identity verification question for electronic services stayed current in this context.
The sector that most effectively eliminated these risks was banking, with the effect of both being a regulated and audited sector and the regulations made by the European Union on financial services. The Regulation on the Banks’ Information Systems and Electronic Banking Services (“Regulation”) provides detailed rules on how to perform identity verification in electronic banking services and how to ensure transaction security (Article 34 of the Regulation). The Regulation also clearly states that the electronic banking services cannot use the customer’s mother’s maiden name for identity verification purposes (Article 34(10) of the Regulation)!
Likewise, there are similar approaches in the electronic commerce sector. The Communiqué on the Trust Marks in the Electronic Commerce (“Communiqué”) grants service providers, who comply with specific security standards, the right to apply for a trust mark, which distinguishes them from other service providers who do not employ these minimum standards. However, since this application is optional, the Communiqué is not as strong as the Regulation.
As for the most up-to-date approach globally, we see that certain states have practices and studies to create blockchain-based digital identities and use these identities in all electronic services. Though, one should note that these practices are controversial in terms of fundamental rights and freedoms.
What Can Be Done?
Regulations like in the banking sector are significantly beneficial. However, as these regulations only cover a specific industry, companies that are not covered provide customer security as per their systems. For instance, even today, some private pension companies continue to use the mother’s maiden name as an identity verification question!
Nevertheless, increasing customer security will reduce the chances of legal disputes between the customer and electronic service providers, the customer and third parties, or electronic service providers and third parties. Therefore, non-banking sectors should also establish similar customer and transaction security applications and quit outdated ones, and customers should as well do their homework on security in selecting electronic services providers!
Av. Müge Önal Başer, LL.M.