Security Questions and Ankle-Pants

I’m that guy on Facebook, the party-pooper who, when faced with a fun quiz about personal trivia, rather than answer in kind reminds everyone that personal trivia has become a horrifyingly terrible cornerstone of personal security.

The whole concept is pure madness. Access to your most personal information (and bank account) is gated by questions about your life that may seem private, but are now entirely discoverable on the Internet — and by filling in those fun quizzes you’re helping the discovery process. Wanna guess how many of those Facebook quizzes are started by criminals? I’m going to err on the side to paranoia and say “lots”. Some are even tailored to specific bank sites and the like. Elementary school, pet’s name, first job. All that stuff is out there. Even if you don’t blab it to the world yourself, someone else will, and some innocuous question you answer about who your best friend is will lead the bad guy to that nugget.

There is nothing about you the Internet doesn’t already know. NOTHING. Security questions are simply an official invitation to steal all your stuff by people willing to do the legwork. Set up a security question with an honest answer, and you’re done for, buddy.

On the other hand, security questions become your friend if you treat them like the passwords they are. Whatever you type in as an answer should have nothing to do with the question. Otherwise, as my title suggests, you may as well drop ’em, bend over, and start whistlin’ dixie.

My computer offers me a random password generator and secure place to keep my passwords, FBI-annoying secure as long as I’m careful, but no such facility for security questions. I think there’s an opportunity there.

In the meantime, don’t ever answer a security question honestly. Where were you born? My!Father789Likes2GoFishin. Yeah? I’m from there, too! Never forget that some of those seemingly innocent questions out there on the Internet were carefully crafted to crack your personal egg. But if you never use personal facts to protect your identity, you can play along with those fun Facebook games, and not worry about first-tier evil.

4

4 thoughts on “Security Questions and Ankle-Pants

  1. Except by playing, you let less informed folks believe the concept must be safe, or why would the security freak have “played” the quiz? And the way “captcha” is often broken (duplicate the capthca to 1000 porn sites, wait for a human to do the reading and data entry, enter that in the “captcha” field) could also work for someone resetting security questions in bulk via a quiz in a way you might not catch onto if you’re not always providing disinfo. I’m wondering if you answer enough of these marketing/data trawling/hacking questions fictitiously but consistently if it makes it easier to assume a new identity, one that already matches one of the entries in the Great Machine of Big Data.

    Basically, if you don’t see what the person who offers something free is getting out of doing so, I wouldn’t assume that you can think through all the potential negative ramifications, and should just walk away.

    My favorite security “feature” is when they let you *choose* your security question, which they then must read to you over the phone if you call in. I usually pick something like “We think you’re a shitty customer, and want to close your account” or “You’ve won $1M!”.

    • My favorite in that vein was “My boss is an asshole and I don’t care who overhears me.”

      I didn’t go into a more insidious type of Facebook quiz that “analyzes” your Facebook data to come to some meaningless conclusion about you. Of course, to learn what sort of Greek God you are, first you have to give the quiz access to your profile data – including friends list. Most people who have been “hacked” on Facebook actually gave up their information voluntarily.

      But that’s a rant for another day.

  2. One site I only rarely use (United Airlines) has gone a step further from hard-coded insecurity questions, and of course required re-answering the questions when I went in. They made the insecurity *answers* also be a pull-down menu. So I can answer a random breed to the question of my first dog, but it has to be a dog breed, for example. The number of potential “favorite type of music” answers is a mere 21.

    BTW, if you really want to fear for your security, look up “out of wallet” questions. You choose neither the question nor the answer: they look up your info in a public database and ask you the question from that.

Leave a Reply to bug Cancel reply

Your email address will not be published. Required fields are marked *