Security questions: when the wrong answer is actually the right one
You know those funny questions on social media, like “If your superhero name was your mother’s maiden name + your father’s middle name + your first pet’s name, then what would it be?” ? Or what about those quizzes that guess which city you should live in based on a few personal questions? These seem harmless, right? You take the quizzes or share your answers to the questions in the comments and then you forget about it. But what happens after? Who sees your information?
The simple answer? Bad actors who would like nothing more than to use your “superhero name” to bypass your security questions. What security questions do you ask? Those that are part of your process of logging into your bank account, email account, or other secure personal and business systems. Security questions are a weak form of multi-factor authentication (MFA) offered by several companies on the Internet. Fortunately, businesses know that it’s best to use MFA when asking customers / members to log into their systems, as it’s harder for bad actors to compromise your account. Unfortunately, too many companies have taken the path of least resistance when it comes to creating options for security issues. This leads to a level of predictability in the default questions made available to you. See if any of the following questions mean anything to you:
- What is your favorite food?
- What is your father’s middle name?
- Who was your best childhood friend?
- What was the name of the street you grew up on?
- What is your mother’s maiden name?
They should ring a bell, as these are the typical options that you find when setting up your security questions. If the answers to these questions are the last thing between your bank account and a bad actor, then your account might not be as secure as you think. How many of these âharmlessâ social media quizzes and questions have you taken? How many answers to your security questions are already available around the world for bad actors?
The most obvious solution would be not to choose the easiest or most common security questions to answer. However, human nature likes to find a way for us to take the path of least resistance in most activities. This manifests itself not only in the selection of security questions, but also in the creation of passwords. How many of us know someone who likes to use their pet’s or child’s name or, worse yet, just uses the word “password” for their passwords? So if you have a choice between “What is the name of your pet?” And “What was the color code of the paint on the walls of the first bedroom you slept in?” Which one will you choose? Yes, you will choose to put the name of your furry friend as the answer and be done with it.
So instead of making the answer harder for you, make the answer harder for the wrong actor to understand. Make your answer wrong. And not just wrong, the answer makes no sense in relation to the question. For example, if the security question is “What was the name of your childhood best friend?” Your answer might be “Winston Churchill”. For “What’s your favorite ice cream flavor?” Your answer might be “cough medicine”. Chances are, no one reading this was actually a childhood friend of the former UK Prime Minister, and I really hope that nobody’s favorite ice cream flavor is the medicine for the cough. These false and absurd answers will better protect your accounts from bad actors trying to access them. Plus, you can take any social media quiz and questions you want, knowing that not all the personal information you provide will answer any of your security questions correctly.
Now, clearly you will need a really good way to track all of these incorrect answers. I recommend a good password manager to help keep track of it all. A good password manager will not only keep track of your incorrect answers to your security questions, but it will also help you create and keep track of all your long random-character passwords that don’t. make no sense either. Some will even store your answers and passwords with their corresponding websites, and even automatically log in for you so you don’t have to type in your long and complex passwords.
If you don’t want to answer the security questions incorrectly and the website or system allows, you can always try to create your own security questions. If you do, make sure the questions are easy to answer, but so specific that they cannot be guessed. Well-designed security questions should be so intimate that no one other than you knows the answer. So, as an example, create a question like “Where do you hide things at home from your partner?” Or “Who is the person you dream of that you are too embarrassed to share?” These types of questions are very hard to guess and are not the kind of things social media quizzes would invite you to share. It should be noted, however, that the answers to your security questions, even if they are false, could potentially be guessed.
In the world of information security, there are three forms of authentication factors: Something that you are, something you know and something you have. Something that you are would be a characteristic specific to your biometric makeup such as your face, fingerprints or voice. Something you know would be information such as your password or social security number. Something that you have would be an object in your possession such as a token or identification. As the name suggests, you would need two forms of authentication for it to qualify as a multi-factor.
Although the MFA requires you to have two factors, it does not require you to have two different The factors. For example, a password is always part of the login process and falls under the category of something you know. However, when you use security questions, they also fall under the same category as passwords … something you know. And as we’ve touched on before, these security issues tend to be predictable and easy to find. Companies use the same list of ten questions, and your answers can be exposed during phishing attempts or even during these questions and questionnaires on social media. Therefore, if you want to take your account login security to the next level, and it is an available option, you may want to consider 2FA instead of MFA.
Before, we talked about the different authentication factors and how the MFA requires at least two of them, but they could be two of the same type. 2FA works the same but requires you to use two different The factors. When connecting, you will be asked for your password, something you know, and the digital code generated from a software token such as Google Authenticator, something you have. And since you alone will have the something you have, this type of authentication provides an additional layer of security by preventing a malicious actor from going beyond your password.
So, the next time you see these questions on social media prompting you to discover your superhero name or those quizzes tempting you to find out what hair color you should have, you can participate freely without worrying about giving the answers. to your security questions. And, if you have the MFA and 2FA option, choose 2FA because it is the most robust and secure option. However, if MFA with security issues is your only option, make the most of it. Answering these questions incorrectly may be the first time that a wrong answer is actually the right one.
Mike Bechtel is an Information Security Analyst for the $ 5.2 Billion Vizo Financial Corporate Credit Union in Greensboro, NC