Why Those “Secret” Questions are Not a Very Good Security Measure
You have likely been subjected to websites that use so called “out of wallet” questions to validate that you are who you say you are. Sometimes those questions are used to allow you to reset your password and other times those questions are used when you set up your account in the first place.
Examples of those questions are what street did you live on in third grade or what make of car did you own in 1992 and many, many others.
But here is the problem. Those secret questions are no longer secret for two reasons. For many of the questions, the answers are available after a few taps into Google or from some information broker. For others, the massive number of security breaches have exposed those answers and organized criminal gangs are using those databases of compromised information to create new compromises.
An example:
Equifax offers a service to companies like Northrop, the University of Louisville and many others to distribute W2s to current and former employees electronically instead of printing them and placing them in an envelope with a stamp. For large businesses, this is a large cost savings; for some employees it is easier than keeping track of paper W2s.
But hackers have figured out that Equifax only protected that information with a 4 digit PIN instead of a password AND allowed people to reset that PIN by providing the answers to a couple of not-so-secret questions.
Equifax – actually a wholly owned subsidiary called Talx – has been pretty quiet on the whole story and here is why.
Because the security at this division of Equifax was so sloppy (by allowing you to reset you password by entering the answers to a few no-so-secret questions) , they don’t really know how many W2s were stolen. They know of some because fraudulent tax refunds were issued using that data, but, they say, because this looked like a normal password reset, they can’t tell the difference between you doing it and a hacker pretending to be you doing it.
The only good news here is that the hackers had to compromise the accounts one at a time and could not do it in bulk.
But the problem of web sites thinking that secret answers are still secret today – that is spread all the way across the web.
So what can you do?
Well, unfortunately, it depends.
For web sites that allow you to pick your own answers to security questions, you can do something. Remember, they are just matching the answer to what is stored. They don’t care if the answer is right. In that case, if the question is “What is your mother’s maiden name” and the answer is “Smith” and you answer it “Giraffe”, you have made the hacker’s job much harder. BUT, MAKE SURE YOU REMEMBER WHAT YOUR ANSWERS WERE.
In this case, even two factor authentication does not help because, for the most part, the password reset process completely and totally ignores two factor.
In the case where the web site is buying answers from a company like Experian and not allowing you to make up an answer (like Experian prohibited in this case), there really isn’t much that you can do to protect yourself except not use the web site. In the case of Experian, the people who’s information was compromised didn’t even choose to use the web site at all – that was the choice of their employer. In those cases, the best that you can do is tell your employer that you think the vendor that they picked has crappy security and you don’t appreciate them putting your data at risk.
Until then, the best you can do it hope – and that is not a great strategy.
Information for this post came from Krebs on Security.