Stop using default Security Questions... here's why.
By
Staten Island, NY Posted: 9/9/2014 1:00:00 AM
With all the buzz lately about celebrities having their private photos hacked, everyone seems to be focusing on potential hacks into Apple's iCloud by some kind of sophisticated hacking technique or security flaw.
I have news for you, most hackers aren't that sophisticated. It doesn't take a Rocket Scientist to hack any online account. It just takes a few educated guesses to make it past just about every major online site, but here's a quick tip that can protect you....
STOP USING DEFAULT SECURITY QUESTIONS!
That's it?.... WHY?
Before I get into details, let's do some role playing. Let's assume YOU are a hacker. Now, I want you to try to hack into the fictional account of "Mr. John Q. Public". Let's say you know the login ID, such as the email address, but not the password, as a non-technical person... how would you do it?
Most of the time, a site has a link next to the login for people who forgot their password. Bingo. Let's start there. What do you think most sites ask next... dum da dum dum... "Security Questions".
Why Security Questions are a BAD IDEA
I'm not sure what brain surgeon thought that Security Questions were a good idea, but it's a perfect example of a half-baked idea gone wrong. There is NOTHING secure about Security Questions. Simply stated. Security Questions are NOT Secure!.
The big problem with Security Questions is that most of the time, they are way too easy to guess. Even when you guess wrong, you can try again a dozen or so times over the few days and eventually be GUARANTEED to guess the right one.
Examples of some common, but REALLY INSECURE Security Questions
In fact, look at the attached photo to see the entire list of security questions that T-Mobile is using right now to secure their accounts... it's scary.
1. Your mother's maiden name?
Really? Are they nuts, a quick Google or Acestry.Com search can find that in a matter of seconds. If you were a celebrity with nude photos on an online account protected by this gem, you may as well sell them to Playboy first, at least you'll make a few dollars.
The same thing applies to things like "What is the name of your favorite aunt / uncle / cousin, etc" Any security question that asks about names of people in your family is absolutely useless. Don't use them.
2. What was the make of your first car?
Hmmm... that sounds more secure... NOT. If the person you are trying to hack was born in before the 70s, there's a pretty strong chance it was a Chevrolet, Ford, Pontiac, Lincoln, Mercury, Chrysler, Dodge or Plymouth. Yes there are a few others, and even if it wasn't one of those, how many brands of cars are there? Even if you tried 5 brands a day, in 5 days, you would eventually run out of car brands. So, if you've secured anything with with this brain dead question... don't expect them to remain secure.
I've seen one even worse... "What is the make of your first motorcycle?" Really? I mean... REALLY? How long do you think that will take to hack? If I gave you 1 minute to list every brand of Motorcycle you've EVER HEARD OF, I bet you'd run out of brands before 30 seconds even passed. That's how long it would take to hack this one.
What is the name of your favorite sports team?
By now, I assume you know why this is a bad question. Even if you don't assume your target is a fan of their current or past hometown teams, how many professional sports teams are there? Tens of thousands would be pretty secure, but the fact is, there aren't that many, so it doesn't take too long to eventually pick the right one. If you were trying to hack somebody you have never met, start with The Yankees., Red Sox, Giants, Dodgers or Cowboys That'll hack 75% of them.
What's your favorite book
Better... but try not to use The Bible. That's too common.
What was your favorite place to visit as a child
A good friend of mine who needed me to update something in one of his accounts, but couldn't remember his login information. I got this specific winner of a question, so I called him for the answer. I couldn't reach him on the phone, so I typed "Disney". Bingo. Once again... to obvious.
So what can I do?
1. When setting up your accounts, pick the most difficult security questions
Skip any questions like those above that may be easily guessed.
2. If you are given the ability to write your own question... DO IT!
Any time you can create your own security questions, here's your chance to dig deep inside your mind and come up with something only you and you alone could guess.
What if all the questions suck
The simple solution is to give an answer that has nothing to do with the question. So even if it asks "What's your favorite pet's name?", you can give anything as the answer, even a number. As long as you use that answer every time it asks the question, only you will know the answer.
Here's the WORST one I've ever seen. SBLI recently sent me a message telling me they increased the security of their accounts, so I was required to enter 3 security questions. They give you 5 choices, but you have to answer 3... all 5 are horrible candidates for a security question. That's their idea of increased security? Insane.
1. What street did you grow up on? --- Potentially found through public records.
2. What is your mother's maiden name -- Also public records.
3. What is the name of your elementary school. -- Harder, but not impossible, friends and family know this, and some people include their schools in their Facebook posts.
4. What is your favorite color? - Are they kidding... how long would it take to GUESS that? Unless somebody uses an obscure name like "Tapioca White", there's pretty much about 5-10 possible guesses before you get it right. It's actually more secure to ask what's your favorite number between 1 and 10. At least there are 10 possible answers... For men, you can start with Blue, Green, Black... For women, try Pink, Red, Purple.
5. What is your pet's name? - Why? Is that a secret that only you would know? Even if you don't plaster your Facebook account with photos of Fluffy... Don't your friends, family, neighbors know this?
Joe Crescenzi, Founder
Related Media:
(Reply N/A) (Edit Topic N/A)
(Like Topic N/A) [0 ] 16385 Views
Related Posts
Online Security(6)Security(42)Technology(90)
Top 25 Posts
* Note: The ideas on "Idea of the Day" were posted without any formal research into existing inventions.
In some cases, patents may already exist for these ideas, in other cases, there may not be any existing patents and you are free to develop and explore the viability of developing and patenting the ideas.
The authors make no claim that any of the ideas are safe, practical, or suitable for any particular purpose. You are responsible for the results of trying, developing, patenting or using any of the ideas on this site.
For some people, our ideas are just an interesting read, but our goal is to encourage you to take action. If you see an idea that you like, do something with it... Take action.
- Joe