Security questions
Published on 2013/09/21 by Igor Levicki
Ah those security questions...
Or should I rather say "security questions"? Or insecurity questions? That really depends on whose security we are talking about. Usually it is not yours.
How many times you had to fill in those so called "security questions" on various websites at registration time including your e-banking? They are usually used in case you forget your password and you need it reset so you can gain access.
Examples of such questions include but are not limited to gems such as:
- What is your mother's maiden name?
- What is the name of your favorite pet?
- What is the brand of the laptop computer you use at work?
In any case, those are supposed to be something only YOU know the answer to. Let's analyze them and see what can happen if you answer them truthfully.
- A bit of social engineering or even a visit to your local municipality office can reveal this information.
- Stalking you while you walk your pet is enough to find out. Or checking your Facebook account wall, flickr feed, instagram, youtube uploads, etc...
- Calling your office pretending to be an IT admin of the remote branch and asking someone to look it up for assets inventory, coming there dressed as a janitor or a repair technician, asking your coworkers, etc...
If you stop to think about it then it does not take long to realize that 99% of those questions' answers are public knowledge and they can be used by an adversary to break into your online accounts. So, what can you do to protect yourself?
The answer is simple — lie. That is the only way to remain safe today.
Yes, when you are faced with such stupid questions, write them down somewhere safe (such as Password Safe) and intentionally provide wrong answers which you will either write down somewhere safe too or remember easily.
Also, if the website offers the ability to put in your own questions do not use that feature. In case their user database gets compromised you can be sure that the password column itself is encrypted, answers column should also be encrypted, but you have no guarantee that those security questions you put in are encrypted too, and if your questions correlate with answers it will be easy to find them. Even if your adversary in the end does not succeed in using them at that particular website, you are screwed if you use the same questions on several websites.
What I suggest you to do is to give the answers to their common security questions which have absolutely no correlation to the questions so even if your adversary somehow figures out the questions you have chosen they cannot find the answers. Some trivial examples of no correlation between question and an answer:
Q: What is the name of your favorite pet? A: Trashcan Q: Where did you go to school? A: Yellow ...
Thank you for reading, stay safe.