The Paranoid Lady’s Reminders to the Insecurity of Security Questions

This is the first of a series of practical Internet security posts I’ll be doing, inspired by Jordan Shea’s “Holy Shit! (1, 2, 3)” series. Let’s face it – as we get comfortable doing just about everything online, sometimes we might be too at ease and let our guard down. And that’s when we get exploited. If you already know this, please think of it as a reminder. If you don’t, I hope it’s helpful.

The web we’re so addicted to has been trying to give us a more personalized experience by tracking our preferences and activity. In order to do this, websites will force you to identify yourself in some way, but usually via an account that saves some information that persists over multiple sessions.

When you sign up for an account, you will probably encountered the “Secret Question” or “Security Question.” The so-called security question is supposed to provide a way to recover passwords in the event that you lose access to your account. It sounds sensible – except in practice the security question is just another name for a backup password.

When you think about it that way, suddenly the questions like “Mother’s Maiden Name” or “First Pet’s Name” don’t seem so secure or secret. Do you really want your account to be protected by something that’s weaker than your password?

But first – why is it even important to protect your account if you’re just the average person trying to enjoy the latest that technology has to offer? It is important to distinguish between a targeted and bulk attack. In the targeted attack, the victim has been chosen specifically, e.g. in the case of Sarah Palin during the 2008 election. In the bulk attack, the attacker is simply trying to compromise as many accounts as possible. It’s not personal, really – it’s just that those attackers need to use as many legitimate accounts as possible to send their spams or to sell.

Now that we have motive, let’s discuss the method.

  1. Social Engineering: This is a targeted attack in which the victim is tricked into revealing information. Take, for example, surveys or personality tests online where they might ask your favorite color, books, etc. This is the same tactic used for phishing.
  2. Brute forcing or guessing via statistics: Based on publicly available data (think census, birth certificates, marriage certificates) or all those survey results, the attacker will guess the most commonly used answers. Just how many colors do cars come in anyway?
  3. Informed Guessing: This is where your Facebook or social network information comes in handy. Sometimes you can’t help it – you may have a resume online. The attacker will look for all that information and use it directly where possible, and then infer answers from the information. Some famous victims of this method – Sarah Palin’s Yahoo! mail account and Paris Hilton’s T-mobile account. In Sarah Palin’s case, the hacker was able to use Wikipedia to figure out where she went to high school, thus guessing the answer to her security question “Where did you meet your spouse?” Paris Hilton used “What is your favorite pet’s name?” No need to go as far as Wikipedia there – simply Googling would have helped.

So what can you do? The best thing is to treat each answer to these security questions like a password. This does have its problems – I have had trouble recovering an account because I forgot what I chose as the answer to a particular question. A simple thing to do is to answer the question honestly, but in the form of a phrase. For example, instead of just “Spot” as your pet’s name, use something like, “Spot this security problem.” Ideally, you would never reuse the same phrase, just like you’d never reuse a password *wink* but in practice, there’s no way we can remember all the different passwords for all the different sites. Have a system instead. There are plugins like PwdHash (which conveniently has an online version for those times you’re not at your own computer) which takes in a password and a site name and generates a site specific password for you to use. All you need to do is a little extra typing and then cut and paste. You can use PwdHash to secure the answers to your security questions as well, though again, there’s nothing to prevent an attacker from trying various combinations until they get a site specific password exactly like yours, so I still advise using the answer phrase instead of just the answer alone. Mix it up. Even if attackers have the answer, don’t give them the ability to do anything with it.

3 replies on “The Paranoid Lady’s Reminders to the Insecurity of Security Questions”

Just to demonstrate how easy the guessing is- when I was 12 (I’m now 21) there was a huge scandal when one of the girls in school started sending really mean emails and IMs to all her friends, myself included. We all get to school and are really mad at her; she is confused because she never sent those. Turns out one of the guys in our class guessed all the security answers to her account and changed her password so he could play a joke. A twelve year old who wasn’t a close friend. So be careful what security questions you pick- a casual acquaintance or ex could probably very easily guess a lot of yours!

Leave a Reply