RSSProblems with Security Questions
May 01
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless No Comments
F-Secure had an interesting run down today on the security options available over at Facebook. They also critique Facebook’s security questions, which are generic items like “Mother’s maiden name,” “3rd-Grade Teacher,” “First pet.” These are items that your friends and family are likely to know about you, so they don’t necessarily guarantee your security. As F-Secure puts it, “Security challenge questions based on social information is probably not the best of ideas on a social networking site. “
The questions really are kind of ironic. I had to think a while to remember my third grade teacher’s name, but I do have one or two people on my flist I went to school with. They may remember better than me!
I also have direct experience that security questions can prove ineffective. In fact I remember being guilty myself–as a drama-ridden teenage girl, I hacked an ex-boyfriend’s email account, because I knew his password and security question answer. It was his place of birth, and most clever of me, I remembered exactly the way he always mis-spelled it. Hacking his account and then confronting him was not my best moment in life. Luckily I learned my lesson and will never do something like that again. My story only shows that it’s possible, and illustrates F-Secure’s concern.
The problem with developing genuinely secure questions is that all of those types of questions are usually, by nature, personal and social. They must be targeted to the user, and based on the user’s demographics and interests. When they work, it’s because the answer is a private thing, or a personal thing that no one else knows. For adults, in many cases, those types of questions work simply because the user’s adult friends weren’t around in elementary or high school when we had our first pets, third grade teacher, first car, etc..
Developing tougher, more targeted questions can also present a challenge. Recently, I had the opposite problem of the Facebook dilemma. Instead of the questions being too easy and well known, they were simply irrelevant. I opened some account where all the questions revolved around marriage, kids, mortgages. The writers assumed their users were older, and made the logical leap that they were married and had children or mortgages. But I’m under 30, unmarried, without children, and haven’t been able to afford my own home. I’m not alone, either–many of my peers are waiting much longer before getting married, having kids, and buying homes. So, I found the questions simply irrelevant, and had to puzzle out a while how to get around the obstacle of the security questions.
Of course, the questions are supposed to present an obstacle to hackers, not the account holder, so they have to be something easy to remember, applicable, and relevant, even before they enforce security. Sites that use security questions need to be aware of these problems, and walk a fine line between making the questions too easy, and having them be inappropriate for their users.
One solution would be for sites to offer more choices. Then, it’s up to the user to make sure to choose a question that he or she can remember the answer to, but others are unlikely to guess. Even if in general, the questions are easy or well-known, the user should be able to select a question or two that others won’t know.
Here is the original post:
Problems with Security Questions
