What was the name of your first pet? What is your favorite TV show? What was your mother’s maiden name?
Here’s the real question: what do you think questions like these are actually going to do to help secure your important accounts?
The unfortunate truth of the matter is that the security questions almost universally relied upon by businesses, websites, and other important accounts have some significant issues. Let’s consider what these issues are, and what alternatives should be considered instead.
Why are Security Questions So Bad?
Let’s walk through a hypothetical scenario to demonstrate just how ineffective they are today:
Let’s pretend that I was a cybercriminal, and I had decided to dip into your bank accounts a little (read: a lot). To do so, I’ll need to go to your bank or financial institution’s website. Via phishing, I could confirm that your bank or financial institution is the one I suspect it is (and if I was smart, I’d get your access credentials while I’m at it, but for the sake of the example I didn’t). Let’s assume that I come out of it with your username and confirmation of which bank you use.
The thing is, I still need your password. Lucky for me, your financial institution of choice offers a Forgot Password? option for me to take advantage of. I’ll then be presented with a few different questions that you’ve selected ahead of time. Unfortunately for you, a lot of them can be deduced if you—my victim—have failed to secure your social media accounts. While there are any of a variety of ways that I might be able to deduce these answers, let’s pick on Facebook for a little while.
A common security question is: What was your mother’s maiden name? To figure out the answer, I could try to find you on Facebook in the hope that you haven’t been diligent in keeping your profile private. Lucky me—despite not being your “Friend,” I still have full access to your profile and the information to be found there.
This just so happens to include both your friends list and the family section of your profile, where you’ve linked to your assorted family members, including your mom. I’m thrilled to find that, in order to make it simpler for old friends to find her, your mother has included her maiden name in her profile. That’s one security question answered, and hopefully, a clear example of how relatively simple these questions can be to answer. The same goes for the other common questions that these sites offer up, like What is your favorite book/movie/television show or What was the name of your first pet? and the like.
A bit of digging through your online profiles and general presence on the Internet can provide a frightening amount of information—in many cases, plenty to determine someone’s answers to their security questions. Once I give the bank the answers to the questions you’ve selected to protect your account, I’ll have access to this account and the finances it contains.
This is part of the danger that comes with keeping so much of our lives online—we’re not only entrusting our privacy to the platforms and websites we frequent, we’re also counting on ourselves not to overshare information that could help someone determine our access credentials.
These Security Questions Get Even Worse
While the study itself may be starting to show its age, a 2015 study conducted by Google found that the answers to these types of questions are terrifyingly predictable.
Take, for instance, that the study revealed that—with only one guess and the knowledge that a user speaks English—there was a 19.7% chance of correctly answering “What is your favorite food?” With ten guesses and the knowledge that the user speaks Arabic, there was a 24% chance of correctly answering “What was your first teacher’s name?” Knowledge that a user spoke Korean and ten opportunities to answer a question gives the attacker a 43% chance of answering “What is your favorite food?” correctly.
This is before we even discuss how cultural differences between the people who create these questions and those who answer them can limit which questions the user can actually answer. Maiden names aren’t a global tradition, for instance.
Furthermore, a little bit of technical skill on the attacker’s part could allow them to brute-force the recovery question. This is particularly problematic, as they lack the complexity that passwords should require and will therefore be much easier to break through.
So, Security Questions Don’t Work…What Can We Use Instead?
Fortunately, today’s businesses have much better alternatives to help them secure their businesses and accounts. Take multi-factor authentication and biometrics—they make it far easier for your accounts to be accessed securely, while making it more difficult for attackers.
We’re here to help you secure your business against all forms of cyberattacks, helping you to implement these improved cybersecurity measures and others. To learn more, give us a call at (831) 758-3636.
Also, do yourself a favor and double-check the security settings on your social media accounts.