Saturday, April 25, 2015

Are Security Questions Really Secure?


This question has crossed my mind at times and for the most part, I'd say no.

Many of the questions are too short and direct that they can be a joke.

Security questions add another level of protection onto a system. If you try to log in too many times, you'll be prompted to answer a question. Some sites make you answer the security question first before getting to the password prompt screen.

The main problem with security questions are that they're easy to guess and sometimes easier to find. Let me give a few small examples:

Security Question: What high school did you attend?

Security Question: What is the name of your pet?

Now, these questions are simple, but the answers will vary from person to person. The trouble arises in the fact that many of these answers are easy picking off of social media sites. One could go on Facebook and usually see pet photos or find the past schools listed in the person's About section.

Pro tip: If you wouldn't want a stranger off of the street to know what you're posting, make sure your settings are set to private and know that even then, that information can still be seen by strangers.

Some will see the problems with this. Others won't and will say, "They still don't know my password."

What if the person got that information and then used social engineering to gain access to your password? Social engineering involves people acting like they have certain criteria that they don't actually possess in order to gain information/access to things they shouldn't have.

Example: Someone finds all of the information that is publicly available and then calls a company acting like they're you and says that they forgot their password. The person on the phone can't really tell for sure if it's you, so they will use your security question as a means of verification. If the person gathered enough information, they may have a pretty good shot of getting a question that they can answer correctly. If that happens, it's game over and your account is compromised.

A way to protect yourself from this would be to obscure your security question answers so that the answers only make sense to you. An example:

Security question: What is your favorite animal?

Answer: airplane

By making your answer make little sense, you'll have a better chance that nobody will guess your security question answers and gain access to your information.






No comments:

Post a Comment