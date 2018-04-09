Don't Give Away Historic Details About Yourself (krebsonsecurity.com) 111
Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
The user is the product.
Stop wanting to be that product.
Turn off social media. Get a good VPN. Give your friends email. Use quality video chat. Join a forum, chat room on one topic.
Social media uses that information to build a profile on you and your friends.
What a person omits, fails to mention, lies about will be filled in by friends and family telling the truth. Data gaps are then not as privacy protecting as a state user expects.
Stop using social media and the data-harvesting can be limited to each site and each area of interest.
Favorite color?
ch2zi656pf0u66ob089y0xu84
Mother's maiden name?
7zrhotbw9rx5ul6v029647371
What city were you born in?
su86wzr65u39h1z45f352q19u
Yes, you probably shouldn't answer those questionnaires, but you shouldn't be answering "security questions" either!!! Good opsec has always been to use a randomly generated response and treat as a secondary password. (I.e., Store in your password safe.)
Favorite color? #550077
This is Slashdot after all.
But I'm color blind!
A user puts in a random month when creating an account.
Social media friends and family then send the messages that show the actual month.
That's why your friends should not have your correct information either.
There are people who have known me for 20 years who still don't know my real name. Then again, I don't know theirs either. It's fine. A name is just a label used to address a person, and if you provide an alternative it's just as good.
Stop wanting to be that product.
If you think that is driving people then you have a fundamental lack of understanding of why people do what they do.
Turn off social media.
If you think that is driving people then you have a fundam... yeah you get the picture.
Give your friends email. Use quality video chat. Join a forum, chat room on one topic.
Why not just post that people should roll back the technology clock by 20 years? Or does that sound like a much harder sell?
Why not just post that people should roll back the technology clock by 20 years? Or does that sound like a much harder sell?
Perhaps, given all the risks people have to face in life, the principle of privacy just doesn't matter that much to people. We eat in restaurants (food cooked by strangers), we drive cars (roads crowded by strangers), and go to the hospital (operated on by strangers), so the idea that strangers know something about your personality, social status, and buying habits, etc. is really neither here nor there. So Facebook's mission to connect everyone...
... to an advertiser, political party, etc. is not high on
If I could mod this up I would.
I haven't run across this yet. What sites are doing it?
I fill in the security questions with random garbage.
Hard to remember if you need to come up with them again. And it's not solved by ensuring you never forget your ID or password because I have known sites that have lost mine but irritatingly insist that it is you who have forgotten them.
So I have at least four entirely false persona complete with birthdays, pets, city, fave colour etc (I add to them as needed) that I use in these situations. So even if I must give my real name eg for a bank account, I can still give various false "First car" or "Favourite c
I use random-ish information (humans aren't random number generators but good at producing noisy output) and then write it down if it have to be remembered.
But sites that require (in)security questions are just filled with crap that is then quickly forgotten. Because if I forget the password the site obviously isn't important, really important logins are written down on paper as a backup.
Make stuff up for the questions, then write down your answers somewhere securely (preferably encrypted or on a removable thumb drive). Then look it up later when needed.
Even in the old days when only your bank would ask this and only in person when you were in front of a teller, it wasn't secure. Half the town probably knew your mother's maiden name. It wasn't even remotely a secret or difficult to find out.
And for some of the questions it's going to be vague, so you have to write it down or you'll get it
Your mother's maiden name was Cowboy Neal? Interesting family...
Honestly? (Score:5, Insightful)
Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.
Re:Honestly? (Score:4, Insightful)
This. Those 'security questions' are really just another password. I use random nonsense and put the results in my password manager. I'm a bit surprised that the various nefarious critters wandering about the bottom of the Internet would even bother at this level of trolling, but I guess you gotta make a living somehow.
Re: (Score:3, Insightful)
Under no circumstances should you ever use a correct answer for a security question and the answer you have sho
Re: (Score:2)
I have maybe 4 or 5 sites where I really care what happens. The majority of passwords I store however are for pointless sites that insist you must first register with an account before you can go further (getting support documents from vendors, adding my 2cents to a blog post, etc). I don't really mind so much of every single one of those pointless accounts was hacked or not, there's no useful information there and if somone pretends to be my alias on some random wordpress forum, who cares?
The thing is, fo
Re: (Score:2)
One of my friends had one of his friends post a spoof of these questions. The "What's Gangster Nickname?" style of web sites, where you enter your first name and birth month and it spits out "Squinty McGee" or some such. So the person asked one of these on Facebook and the first question was your social security number. He quickly deleted the post because a few people actually started answering it instead of realizing it was a joke.
Re:Honestly? (Score:5, Informative)
This. The comment field in PasswordSafe is a wonderful place to store the made-up answers to those questions....
Same here, it would be pretty easy for anyone to guess at the city I met my spouse, city to retire in, they are the same I live in now and was born in. I come up with some good fake answers that I can remember the I use them everywhere.
I'm going to retire in fuckyoubigdata.
My dream job malepornstar.
Re: (Score:3, Informative)
My answers are stored in a password safe.
Q: what was the name of the road you grew up on?
A: T59hZ3HNvx98RC
I've even had to give the "answers" once over a voice call to a CSR, and that works just fine. I got about halfway through reading the string of digits and they said "good enough" and moved on. Which was less than truly ideal, but good enough and worth a chuckle.
Re: (Score:3)
Mod parent up.
Of course you lie. Just having an account with one of these things gives them the foot in the door.
The best way to combat surveillance is counter-surveillance and actively engage in disinformation.
Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.
You don't understand.
You don't get to choose the questions, nor the correct answers.
These questions/answers are composed of information that was mined from your past.
The first time my bank hit me with a quiz like this, I had to dig through my files for some of the answers, because it was from so far in the past.
Yup, I got hit with that once or twice. Those are questions based on a credit report, so anyone who can run your credit knows the answers.
I got a background check done at me at one company, and I got the results. It lists addresses for me where I never lived. As in my friend's house was listed although I never lived there or got mail sent there. And a place I never heard of, probalby just someone else with the same name lived there once. I think they just did a quick google search to pad it out past the "no criminal convictions" part.
Re: (Score:3)
Same thing. I've had the bank ask me questions like this too. Good reason to close the account.
I know a guy who used to (and maybe still does) always answer all security questions with "never give guns to ducks."
That was one of the least weird things about him.
Re: Honestly? (Score:3)
He works in the movie industry. There aren't enough electronic in the universe to post a list of the weirdness that is his life. Or himself. I seriously doubt the admonition is metaphorical.
If you get shot in the ass by your own duck, and you usually learn your lesson and go buy a gun safe.
Yup. I just generate another secure password (12 digits, random, high-entropy bit source), write it on a piece of paper and file it. Granted, if someone really wants to break into one of my accounts, they might break into my house, but that's not the usual threat model for online attacks.
Alternative Questionnaires (Score:3)
What was your first banking password?
What was your first government-issued identification number?
What was your first online handle that you used before you learned that the things you do and post on the internet can be traced back to you?
What was your first humiliating, deviant, or illegal thought?
What was your first felony that you got away with?
What was your first object you dry humped?
What was your first humiliating, deviant, or illegal thought?
What was your first felony that you got away with?
What was your first object you dry humped?
That can be easily guessed for basically an entire generation: Stealing a porno magazine, stealing a porno magazine, the closest soft thing you can find after stealing a porno magazine.
Poor kids today with their internet connections missing out.
What was your first humiliating, deviant, or illegal thought?
I once found an Anonymous Coward sexy.
What was your first felony that you got away with?
I stole an Anonymous Coward's intellectual property.
What was your first object you dry humped?
An Anonymous Coward.
Birth announcements are the worst... (Score:5, Interesting)
In one fell swoop, people give away birth hospital (city), weight, height, and name. Just add mother's maiden name (usually already there in FB) and hunt around for dog on their profile, and you've everything you need to file a social security number request before the kid is even 15 minutes old.
And yes, it has been done (though not using facebook-originated data).
Wedding announcements are always good sources of maiden names.
Seriously ? (Score:2)
Brian is usually pretty good for insight but this reads like a 'no shit' kind of observation he made to his in laws over dinner.
Even on sites that require info for registration I simply lie, always have. For info other than shipping address it's not relevant to whatever transaction we're undertaking so I see no reason to provide them with any valid info, for security questions it's easy enough to jot down actual security questions so I can remember the answer in the future (usually in keepass notes).
I do g
Re: (Score:3)
Correction: It should be a "no shit" observation. It isn't. Not by a longshot.
The mere fact that there are still webpages out there, and I'm talking about relatively important and security critical pages, still use this "security questions" bullshit for password recovery should be a testament to how much it is unfortunately not a "no shit" observation.
There are very few questions "only I can answer". And those that only I can answer, only I can answer for a very good reason: I don't want to tell anyone the
Use the same method for choosing a "security" answer that you use for choosing a password. I.e. let a random generator do it and note it in a password safe.
xyzzy (Score:5, Insightful)
Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...
Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".
There is absolutely no reason why any two sites or entities should have the same "secret", and none of those "secrets" should be things that your whole family and your entire school class knows. If you go to the "security" page of a site and it shows your answers to these questions, they are stored in plaintext and you absolutely positively must not use that same "secret" elsewhere.
And if a secret can be used as a password (or worse - can reset a password) it needs to be at least as strong as your password and protected as well as your password. Scratch that, it should be protected even better than your password because it will probably never be expired or changed.
> Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".
Those are the combinations to my luggage!
I'm going to go try those passwords on your bank account right now!
allow you to specify what to ask (Score:2)
And the answer...
Whenever I see a quiz, I reply.. (Score:2)
Hmmm. I wonder what info they are harvesting..
just make stuff up... (Score:2, Funny)
first pet's name? scooby doo
birthdate? 1/1/1970
first phone number? 867-5309
first street address? 1313 mockingbird lane
favorite color? rainbow
favorite number? 42
oshit, now you can hack my account.
Here is an actual quiz from my bank (Score:2)
This is an actual set of questions I once got from my bank.
None of these Q/A pairs was information I provided to them.
Each question had 6 choices, with the last being "None of the above".
Only 2 of these questions were based on current information.
I redacted parts of 2 questions containing personal information.
1. In which of the following counties have you ever lived or owned property?
2. Which of the following street addresses in [city_I_once_lived_in] have you ever lived at or been associated with?
3. Which
Yes, that is data they have gleaned from your credit reports, and they are asking you to verify whether you are who you say you are. They already have the correct answers.
These are totally unrelated to security questions for which the user provides the answers, in order to secure account logins.
Surprised! (Score:2)
I'm surprised these stupid little quizzes are still a thing. I thought it was amusing for a few minutes about 15 years ago, after that I decided I have better things to waste my time doing.
Only if you're doing it wrong (Score:3)
Most secret questions can be looked up or guessed if you can read through people's social media accounts. The answers to the secret questions should be lies. Mother's maiden name? Rumpelstiltskin. Place of birth? Sunnydale Hellmouth. First pet? Epileptic sea cucumber.
double fail (Score:2)
Security (Score:2)
Something has always baffled me about security questions being used to hijack someone else's account on whatever site.
Maybe my experience is different, but every time I've used a password reset form that required me to put in a security question answer... something else happens first. I get an email from the site, after requesting a password reset, to continue that reset I need to click a link in the email. After I do that, then it asks me a security question before continuing with the reset.
Now, here's m
Re: (Score:3)
" You need control of the email account in question"
Ideally, that's the service the secret questions are for. Since they can't rely on you to have access to your email, if you are trying to reset the password for it. Nowadays a lot of email is tied to phone so SMS is an option, but a lot of it is not.
" So what am I missing"
They can call support; and claim they no longer can receive email to the address on file or SMS to the phone number on file, for reasons.
If you have an ISP mail, maybe you changed ISPs, i
If I can't find out what kind of fruit someone is, how am I supposed to defend myself against them?
It's not easy, but training is available:
https://www.youtube.com/watch?v=U90dnUbZMmM
Don't thank me. I live to serve.
not just online (Score:4)
LOL! Do you think it's hard to get that information? If it also had his logins on important websites there could be a problem however him having that would be a bigger one...
Bad Questions (Score:1)
This entire concept of using questions to protect financial access is beyond retarded. A few months ago I was denied access to one of my credit cards because I couldn't name the city my estranged sister was living in. I think we're finally past the mother's maiden name (since you can pretty much search marriage records for 40+ years now). Maybe it's finally time to allow our phones to digitally sign the call itself or use a private certificates for authentication that use a hardware key inside our device
That's not going to be much help in stealing my identity; my parents were married just over 80 years ago.
Or the "what color are you" (Score:2)
What is your porn star name? (Score:2)
Combine the name of your first pet with the name of the street you grew up on, be amused by the result, post it all over the internet (and encourage others to do the same.)
I confess it took me a while to notice that these posts were gold for identity thieves. If this meme was invented by an identity thief, I am in awe of their brilliance.
Genealogical Questions (Score:2)
Which begs the question, "Why do bank and financial sites still use questions like 'Mother's Maiden Name' when Ancestry.com probably knows that, even if YOU never filled in an online genealogy?"
Suggestion: Answer all such questions with the same answer, one irrelevant to the question. "Mother's Maideb Name"? "Blue" First car"? Blue. first pet? "Blue".
Wait, that's the name of my first pet too!
Or don't make those your security questions (Score:2)
Duh... (Score:2)
I'm pretty sure this is how Sarah Palin's yahoo email account got compromised.
What your SSN reveals about your personality? (Score:2)
Let's play a fun game: (Score:1)
Hey, let's play a fun game! Answer these questions and see your score:
1. What is your mother's maiden name?
2. What is your first pet's name?
3. What street did you grow up on?
4. What are the last 4 digits of your social security number?
...
fFz0fPEDX63wFZK2ZKaO
07avA68VFskVredZl5VV
RASCcLqjYcseOU00HicJ
0002. Damn Roosevelt.
Turnabout Is Fair Play (Score:2)
While the idea of obfuscation-as-security has been around a long time, given the pervasive lack of data privacy, relax a little and have some fun with it. Large-scale data mining for profit and massive security breaches pretty much leave everyone who uses the internet wide-open to exploitation, so we might as well make a game of it.
I have four "identities" I use for various purposes, all fictitious to one extent of another. I feed them so much bullshit and chaff that pretty much any "profile" on me comes of
The biggest security hole: security questions (Score:2)
Quite frankly. We keep telling people to use 20 character passwords with numbers and special characters and preferably even characters that can't be typed with a latin keyboard... and then we let them recover that password if lost with the answer for the name of their pet dog they had as a child.
Are you fuckin' serious?
This is from a security standpoint even worse than them using that pooch's name as the friggin' password. Because then a potential attacker would at least not know that the key to the account
Or... (Score:2)
When answering those types of "Secret Questions" at sites you actually use and want security, don;t give the "real" answer.
They ask "Model of first car?", you answer "R3dw!n@$"
etc
Mother's maiden name? 0129834765
etc
I started informing companies that the phone call can be recorded for security and training purposes. You get a whole range of very funny reactions to something like this.