Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

Don't Give Away Historic Details About Yourself (krebsonsecurity.com) 158

Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.

On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.

This discussion has been archived. No new comments can be posted.

Don't Give Away Historic Details About Yourself

Comments Filter:
  • Social media (Score:5, Insightful)

    by AHuxley ( 892839 ) on Monday April 09, 2018 @05:47PM (#56408945) Journal
    Did what social media had to do to make a profit.
    The user is the product.

    Stop wanting to be that product.
    Turn off social media. Get a good VPN. Give your friends email. Use quality video chat. Join a forum, chat room on one topic.

    Social media uses that information to build a profile on you and your friends.
    What a person omits, fails to mention, lies about will be filled in by friends and family telling the truth. Data gaps are then not as privacy protecting as a state user expects.
    Stop using social media and the data-harvesting can be limited to each site and each area of interest.
    • Stop wanting to be that product.

      If you think that is driving people then you have a fundamental lack of understanding of why people do what they do.

      Turn off social media.

      If you think that is driving people then you have a fundam... yeah you get the picture.

      Give your friends email. Use quality video chat. Join a forum, chat room on one topic.

      Why not just post that people should roll back the technology clock by 20 years? Or does that sound like a much harder sell?

      • Re:Social media (Score:5, Insightful)

        by Bongo ( 13261 ) on Tuesday April 10, 2018 @03:59AM (#56410843)

        Why not just post that people should roll back the technology clock by 20 years? Or does that sound like a much harder sell?

        Perhaps, given all the risks people have to face in life, the principle of privacy just doesn't matter that much to people. We eat in restaurants (food cooked by strangers), we drive cars (roads crowded by strangers), and go to the hospital (operated on by strangers), so the idea that strangers know something about your personality, social status, and buying habits, etc. is really neither here nor there. So Facebook's mission to connect everyone... ... to an advertiser, political party, etc. is not high on people's lists of worries in life.

        The difficulty for IT people is that, it is a compromise, and so everyone has to pay lip service to the principle of protecting data, even though in practice, almost nobody cares. At least, not care in the sense of, you can get away with it so long as you don't happen to do something which can be sensationalised in a way that triggers people's emotions, which seems to be what happened here. Consequently, Facebook has to ban those companies, not because they were harvesting data (a feature, not a bug) but because they allowed the public to be spun a story about it in such a way that caused outrage. In other words, they allowed a stink to happen. THAT was their sin.

        We might think the problem was that a strict rule or policy was broken, ie. data was harvested, and so tighter controls should be used, like some technology problem, requiring a spec and a solution, but no, the actual problem is that a stink happened.

        Much of our modern society is built on trust, and that in itself has brought tremendous benefits -- this is a broad point, that you cannot live in a modern city and society if you do not approach hundreds of strangers you interact with, with a basic form of trust -- so we are not going to give up easily on that, because it has given us so much -- consequently, we will forgive and forget these abuses of trust.

        I think the particularly isolated geek mindset can forget this aspect, that humans "stupidly" trust each other... but there's a bunch of very good reasons for that pattern.

        • If I could mod this up I would.

        • Re:Social media (Score:4, Insightful)

          by coofercat ( 719737 ) on Tuesday April 10, 2018 @07:12AM (#56411353) Homepage Journal

          We also make sure the likes of doctors (who get to know an awful lot about you) are heavily regulated. Chefs aren't regulated as such, but they are bound by reputation somewhat, and in some places hygiene standards and whatnot.

          However, that a chef knows you like fish and chips isn't much by itself. Likewise, your doc knowing that your cholesterol is a bit high isn't a thing in itself. Likewise, your gym knowing you haven't visited in 18 months isn't much of a thing in itself. However, join all those things together and your life insurance premiums just went up.

          In the olden days this was done by gossip - people would pass snippets of knowledge between themselves and eventually a few people would piece together some facts about you. You'd then end up run out of town, or whatever.

          Ultimately: centralised knowledge about you is usually a bad thing for you. It might bring some benefits here and there, but mostly it's not a good thing (if not now, then in the future).

      • Comment removed based on user account deletion
    • Comment removed based on user account deletion
  • Honestly? (Score:5, Insightful)

    by pubwvj ( 1045960 ) on Monday April 09, 2018 @05:51PM (#56408963)

    Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.

    • Re:Honestly? (Score:4, Insightful)

      by ColdWetDog ( 752185 ) on Monday April 09, 2018 @06:04PM (#56409025) Homepage

      This. Those 'security questions' are really just another password. I use random nonsense and put the results in my password manager. I'm a bit surprised that the various nefarious critters wandering about the bottom of the Internet would even bother at this level of trolling, but I guess you gotta make a living somehow.

      • Re:Honestly? (Score:5, Insightful)

        by alvinrod ( 889928 ) on Monday April 09, 2018 @06:49PM (#56409213)
        It's worse than another password. Most sites are at least smart enough to store a hash and some will go a little further and salt it to make extracting the real value more difficult. However, security questions are more likely to be stored in plain text (especially if you can give them over the phone to a CSR) and a lot of sites are going to allow you to reset a password with security questions.

        Under no circumstances should you ever use a correct answer for a security question and the answer you have should never be reused. Many sties have a predefined list of security questions and there's a lot of overlap between those lists. An attacker that gets one set of security questions can probably reuse them on other sites beyond the one they attacked.
      • One of my friends had one of his friends post a spoof of these questions. The "What's Gangster Nickname?" style of web sites, where you enter your first name and birth month and it spits out "Squinty McGee" or some such. So the person asked one of these on Facebook and the first question was your social security number. He quickly deleted the post because a few people actually started answering it instead of realizing it was a joke.

    • Re:Honestly? (Score:5, Informative)

      by CrimsonAvenger ( 580665 ) on Monday April 09, 2018 @06:04PM (#56409029)

      Honestly, I don't even tell the bank the real answers to these dumb questions.

      This. The comment field in PasswordSafe is a wonderful place to store the made-up answers to those questions....

    • Re: (Score:3, Informative)

      by Anonymous Coward

      My answers are stored in a password safe.

      Q: what was the name of the road you grew up on?
      A: T59hZ3HNvx98RC

      I've even had to give the "answers" once over a voice call to a CSR, and that works just fine. I got about halfway through reading the string of digits and they said "good enough" and moved on. Which was less than truly ideal, but good enough and worth a chuckle.

      • by WallyL ( 4154209 )

        My answers are stored in a password safe.

        Q: what was the name of the road you grew up on?
        A: T59hZ3HNvx98RC

        I've even had to give the "answers" once over a voice call to a CSR, and that works just fine. I got about halfway through reading the string of digits and they said "good enough" and moved on. Which was less than truly ideal, but good enough and worth a chuckle.

        When reading that, I imagined hearing Patrick Stewart/Data reading that aloud [youtube.com].

    • Mod parent up.
      Of course you lie. Just having an account with one of these things gives them the foot in the door.
      The best way to combat surveillance is counter-surveillance and actively engage in disinformation.

    • by rwyoder ( 759998 )

      Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.

      You don't understand.
      You don't get to choose the questions, nor the correct answers.
      These questions/answers are composed of information that was mined from your past.
      The first time my bank hit me with a quiz like this, I had to dig through my files for some of the answers, because it was from so far in the past.

      • by crow ( 16139 )

        Yup, I got hit with that once or twice. Those are questions based on a credit report, so anyone who can run your credit knows the answers.

      • by Xenx ( 2211586 )
        You're talking about two separate things, though there might be some overlap. They're talking about the security questions that are there to "prove" you're you in case you forget your login info. You're talking about security questions that are usually asked to verify your identity to perform a transaction, apply for credit, or something else along those lines.
        • by mellon ( 7048 )

          Same thing. I've had the bank ask me questions like this too. Good reason to close the account.

      • by pubwvj ( 1045960 )

        No, you misunderstand. What you're saying isn't how the security questions work in almost all cases. There are rare places that are using systems like you say - and they're often wrong data.

    • by taustin ( 171655 ) on Monday April 09, 2018 @06:35PM (#56409157) Homepage Journal

      I know a guy who used to (and maybe still does) always answer all security questions with "never give guns to ducks."

      That was one of the least weird things about him.

      • I assume one of the more weird things about him would be whatever experience led him to be adamant about not giving guns to ducks.
        • by taustin ( 171655 )

          He works in the movie industry. There aren't enough electronic in the universe to post a list of the weirdness that is his life. Or himself. I seriously doubt the admonition is metaphorical.

        • If you get shot in the ass by your own duck, and you usually learn your lesson and go buy a gun safe.

    • by mellon ( 7048 )

      Yup. I just generate another secure password (12 digits, random, high-entropy bit source), write it on a piece of paper and file it. Granted, if someone really wants to break into one of my accounts, they might break into my house, but that's not the usual threat model for online attacks.

  • by mentil ( 1748130 ) on Monday April 09, 2018 @05:56PM (#56408979)

    What was your first banking password?
    What was your first government-issued identification number?
    What was your first online handle that you used before you learned that the things you do and post on the internet can be traced back to you?
    What was your first humiliating, deviant, or illegal thought?
    What was your first felony that you got away with?
    What was your first object you dry humped?

    • What was your first humiliating, deviant, or illegal thought?
      What was your first felony that you got away with?
      What was your first object you dry humped?

      That can be easily guessed for basically an entire generation: Stealing a porno magazine, stealing a porno magazine, the closest soft thing you can find after stealing a porno magazine.

      Poor kids today with their internet connections missing out.

    • What was your first humiliating, deviant, or illegal thought?

      I once found an Anonymous Coward sexy.

      What was your first felony that you got away with?

      I stole an Anonymous Coward's intellectual property.

      What was your first object you dry humped?

      An Anonymous Coward.

  • In one fell swoop, people give away birth hospital (city), weight, height, and name. Just add mother's maiden name (usually already there in FB) and hunt around for dog on their profile, and you've everything you need to file a social security number request before the kid is even 15 minutes old.

    And yes, it has been done (though not using facebook-originated data).

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Wedding announcements are always good sources of maiden names.

  • Brian is usually pretty good for insight but this reads like a 'no shit' kind of observation he made to his in laws over dinner.

    Even on sites that require info for registration I simply lie, always have. For info other than shipping address it's not relevant to whatever transaction we're undertaking so I see no reason to provide them with any valid info, for security questions it's easy enough to jot down actual security questions so I can remember the answer in the future (usually in keepass notes).

    I do g

    • Correction: It should be a "no shit" observation. It isn't. Not by a longshot.

      The mere fact that there are still webpages out there, and I'm talking about relatively important and security critical pages, still use this "security questions" bullshit for password recovery should be a testament to how much it is unfortunately not a "no shit" observation.

      There are very few questions "only I can answer". And those that only I can answer, only I can answer for a very good reason: I don't want to tell anyone the

  • xyzzy (Score:5, Insightful)

    by Orgasmatron ( 8103 ) on Monday April 09, 2018 @06:02PM (#56409017)

    Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...

    Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".

    There is absolutely no reason why any two sites or entities should have the same "secret", and none of those "secrets" should be things that your whole family and your entire school class knows. If you go to the "security" page of a site and it shows your answers to these questions, they are stored in plaintext and you absolutely positively must not use that same "secret" elsewhere.

    And if a secret can be used as a password (or worse - can reset a password) it needs to be at least as strong as your password and protected as well as your password. Scratch that, it should be protected even better than your password because it will probably never be expired or changed.

    • by Subm ( 79417 )

      > Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".

      Those are the combinations to my luggage!

    • I'm going to go try those passwords on your bank account right now!

    • Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...

      Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".

      Which is great until you lose access to your password safe, and instead have to provide the answer to security questions to a service representative on the phone.

      Yes, it's a security hole. But the answer shouldn't be "destroy any recovery systems."

  • And the answer...

  • Hmmm. I wonder what info they are harvesting..

  • by Anonymous Coward

    first pet's name? scooby doo
    birthdate? 1/1/1970
    first phone number? 867-5309
    first street address? 1313 mockingbird lane
    favorite color? rainbow
    favorite number? 42

    oshit, now you can hack my account.

  • This is an actual set of questions I once got from my bank.
    None of these Q/A pairs was information I provided to them.
    Each question had 6 choices, with the last being "None of the above".
    Only 2 of these questions were based on current information.
    I redacted parts of 2 questions containing personal information.

    1. In which of the following counties have you ever lived or owned property?
    2. Which of the following street addresses in [city_I_once_lived_in] have you ever lived at or been associated with?
    3. Which

    • All that info would be on your credit reports. Almost common knowledge.
  • I'm surprised these stupid little quizzes are still a thing. I thought it was amusing for a few minutes about 15 years ago, after that I decided I have better things to waste my time doing.

  • by GrumpySteen ( 1250194 ) on Monday April 09, 2018 @06:41PM (#56409183)

    Most secret questions can be looked up or guessed if you can read through people's social media accounts. The answers to the secret questions should be lies. Mother's maiden name? Rumpelstiltskin. Place of birth? Sunnydale Hellmouth. First pet? Epileptic sea cucumber.

  • FIRSTLY NEVER FILL IN THAT SHIT, they aren't doing it just to reminisce. Secondly always make the answers to secret questions fake data but memorable to you as if you use the real information you are fucked once compromised by any one organisation that fails to secure it.
  • Something has always baffled me about security questions being used to hijack someone else's account on whatever site.

    Maybe my experience is different, but every time I've used a password reset form that required me to put in a security question answer... something else happens first. I get an email from the site, after requesting a password reset, to continue that reset I need to click a link in the email. After I do that, then it asks me a security question before continuing with the reset.

    Now, here's m

    • by vux984 ( 928602 )

      " You need control of the email account in question"

      Ideally, that's the service the secret questions are for. Since they can't rely on you to have access to your email, if you are trying to reset the password for it. Nowadays a lot of email is tied to phone so SMS is an option, but a lot of it is not.

      " So what am I missing"

      They can call support; and claim they no longer can receive email to the address on file or SMS to the phone number on file, for reasons.

      If you have an ISP mail, maybe you changed ISPs, i

  • not just online (Score:5, Interesting)

    by bugs2squash ( 1132591 ) on Monday April 09, 2018 @07:34PM (#56409431)
    I was pissed when my mother in law came home with a book for my baby son, all customized with his birthdate, full name mom and dads name... They print them in China.
    • by Megol ( 3135005 )

      LOL! Do you think it's hard to get that information? If it also had his logins on important websites there could be a problem however him having that would be a bigger one...

    • Comment removed based on user account deletion
  • Or what "star" were you and other so called games. The so called innocent answers, build profiles of you. People don't get it. NOTHING online is free...
  • Combine the name of your first pet with the name of the street you grew up on, be amused by the result, post it all over the internet (and encourage others to do the same.)

    I confess it took me a while to notice that these posts were gold for identity thieves. If this meme was invented by an identity thief, I am in awe of their brilliance.

  • Which begs the question, "Why do bank and financial sites still use questions like 'Mother's Maiden Name' when Ancestry.com probably knows that, even if YOU never filled in an online genealogy?"

    Suggestion: Answer all such questions with the same answer, one irrelevant to the question. "Mother's Maideb Name"? "Blue" First car"? Blue. first pet? "Blue".

    • Wait, that's the name of my first pet too!

      • A dog named Blue? Somebody wrote a song about that!

        • A dog named Blue? Somebody wrote a song about that!

          Careful with that. I actually had a site refuse to accept my 4-letter answer for "pet's name" because it was too short (and therefore insecure, I guess?). Too bad for any unimaginative people naming their dog "Fido", or "Spot", or ... "Blue".

  • We need to stop having bad security questions. http://www.geekswithblogs.net/... [geekswithblogs.net]
  • I'm pretty sure this is how Sarah Palin's yahoo email account got compromised.

  • Post your SSN here for a expert analysis into your true nature.
  • While the idea of obfuscation-as-security has been around a long time, given the pervasive lack of data privacy, relax a little and have some fun with it. Large-scale data mining for profit and massive security breaches pretty much leave everyone who uses the internet wide-open to exploitation, so we might as well make a game of it.

    I have four "identities" I use for various purposes, all fictitious to one extent of another. I feed them so much bullshit and chaff that pretty much any "profile" on me comes of

  • Quite frankly. We keep telling people to use 20 character passwords with numbers and special characters and preferably even characters that can't be typed with a latin keyboard... and then we let them recover that password if lost with the answer for the name of their pet dog they had as a child.

    Are you fuckin' serious?

    This is from a security standpoint even worse than them using that pooch's name as the friggin' password. Because then a potential attacker would at least not know that the key to the account

  • When answering those types of "Secret Questions" at sites you actually use and want security, don;t give the "real" answer.

    They ask "Model of first car?", you answer "R3dw!n@$"
    etc
    Mother's maiden name? 0129834765
    etc

  • Who gives actual true answers to those security questions anyway?

    In which case who cares if some equally stupid online survey does get real answers. To things that are usually trivially findable anyway - it's not like I keep what my first car was secret. My parents are divorced, my mother's maiden name isn't exactly rocket science to find out and I don't think she's so ashamed of me as to keep her mother status secret...

  • The idea of security questions is in case you forget your password. So, if you lie on the answer, you risk forgetting that too. So I make a mix of truth and falsehood. Favorite pet? True answer is, I don't have one. I "borrow" someones, that person isn't on the internet, and that person's pet died before most of you were born. Spouse questions? Not married, my GF isn't on Facebook, and since I only refer to her as "My GF", it won't be easy for anyone who doesn't know me IRL to get info on her.

  • but I've stopped playing those games (or quizzes, whatever) on FB and elsewhere not because of this, but because I 0) don't feel like being part of the thousands who think they are engaged in a relationship-building experience with strangers and 1) my family and friends aren't sending me an invite, they just clicked something, possibly bey accident.

    And now I lie on my security questions.

  • Q: "Who was your first-Grade teacher?"
    A: "Silica"

    These should be stored securely physically and logically.

    The executor should have a copy available for when you die.
  • I think the better advice is, don't answer security questions truthfully.

    Questions like "Where did you go to high school?", "What was your mother's maiden name?", "What city were you born in?", etc. aren't hard to find out with an internet search, or just to guess. Hell, depending on your age, you may even still own your first car, in which case somebody who knows your address could simply plug it into Google Street View and see it parked in your driveway.

    If a site wants you to set a security question, don

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...