A method on an account server processor includes retrieving from an accounts database a registered security question associated with an account identifier received from a user terminal, retrieving decoy security questions from the accounts database, and generating and communicating an authentication query message containing the registered security question and the decoy security questions toward the user terminal. An authentication response message containing an answer from a user to at least the registered security question is received from the user terminal. A registered answer associated with the account identifier is retrieved from the accounts database. Electronic access by an access request message from the user terminal to information stored in the accounts database, is selectively allowed based on whether the answer to the registered security question matches the registered answer and whether another answer from the user to any of the decoy security questions is contained in the authentication response message.