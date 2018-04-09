Don't Give Away Historic Details About Yourself (krebsonsecurity.com) 33
Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
The user is the product.
Stop wanting to be that product.
Turn off social media. Get a good VPN. Give your friends email. Use quality video chat. Join a forum, chat room on one topic.
Social media uses that information to build a profile on you and your friends.
What a person omits, fails to mention, lies about will be filled in by friends and family telling the truth. Data gaps are then not as privacy protecting as a state user expects.
I haven't run across this yet. What sites are doing it?
Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.
This. Those 'security questions' are really just another password. I use random nonsense and put the results in my password manager. I'm a bit surprised that the various nefarious critters wandering about the bottom of the Internet would even bother at this level of trolling, but I guess you gotta make a living somehow.
This. The comment field in PasswordSafe is a wonderful place to store the made-up answers to those questions....
My answers are stored in a password safe.
Q: what was the name of the road you grew up on?
A: T59hZ3HNvx98RC
I've even had to give the "answers" once over a voice call to a CSR, and that works just fine. I got about halfway through reading the string of digits and they said "good enough" and moved on. Which was less than truly ideal, but good enough and worth a chuckle.
Mod parent up.
Of course you lie. Just having an account with one of these things gives them the foot in the door.
The best way to combat surveillance is counter-surveillance and actively engage in disinformation.
Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.
You don't understand.
You don't get to choose the questions, nor the correct answers.
These questions/answers are composed of information that was mined from your past.
The first time my bank hit me with a quiz like this, I had to dig through my files for some of the answers, because it was from so far in the past.
Yup, I got hit with that once or twice. Those are questions based on a credit report, so anyone who can run your credit knows the answers.
I know a guy who used to (and maybe still does) always answer all security questions with "never give guns to ducks."
That was one of the least weird things about him.
What was your first banking password?
What was your first government-issued identification number?
What was your first online handle that you used before you learned that the things you do and post on the internet can be traced back to you?
What was your first humiliating, deviant, or illegal thought?
What was your first felony that you got away with?
What was your first object you dry humped?
In one fell swoop, people give away birth hospital (city), weight, height, and name. Just add mother's maiden name (usually already there in FB) and hunt around for dog on their profile, and you've everything you need to file a social security number request before the kid is even 15 minutes old.
And yes, it has been done (though not using facebook-originated data).
Brian is usually pretty good for insight but this reads like a 'no shit' kind of observation he made to his in laws over dinner.
Even on sites that require info for registration I simply lie, always have. For info other than shipping address it's not relevant to whatever transaction we're undertaking so I see no reason to provide them with any valid info, for security questions it's easy enough to jot down actual security questions so I can remember the answer in the future (usually in keepass notes).
Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...
Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".
There is absolutely no reason why any two sites or entities should have the same "secret", and none of those "secrets" should be things that your whole family and your entire school class knows. If you go to the "security" page of a site and it shows your answers to these questions, they are stored in plaintext and you absolutely positively must not use that same "secret" elsewhere.
And if a secret can be used as a password (or worse - can reset a password) it needs to be at least as strong as your password and protected as well as your password. Scratch that, it should be protected even better than your password because it will probably never be expired or changed.
And the answer...
Hmmm. I wonder what info they are harvesting..
This is an actual set of questions I once got from my bank.
None of these Q/A pairs was information I provided to them.
Each question had 6 choices, with the last being "None of the above".
Only 2 of these questions were based on current information.
I redacted parts of 2 questions containing personal information.
1. In which of the following counties have you ever lived or owned property?
2. Which of the following street addresses in [city_I_once_lived_in] have you ever lived at or been associated with?
I'm surprised these stupid little quizzes are still a thing. I thought it was amusing for a few minutes about 15 years ago, after that I decided I have better things to waste my time doing.
Most secret questions can be looked up or guessed if you can read through people's social media accounts. The answers to the secret questions should be lies. Mother's maiden name? Rumpelstiltskin. Place of birth? Sunnydale Hellmouth. First pet? Epileptic sea cucumber.
Something has always baffled me about security questions being used to hijack someone else's account on whatever site.
Maybe my experience is different, but every time I've used a password reset form that required me to put in a security question answer... something else happens first. I get an email from the site, after requesting a password reset, to continue that reset I need to click a link in the email. After I do that, then it asks me a security question before continuing with the reset.
