Why Security Questions are Terrible for Security

securityQuestions_504396769_400.jpg

What is your mother’s maiden name? What street did you grow up on? What is your favorite movie?

How about: What good do you really think these questions are going to do to help keep your accounts any more secure?

Seriously, there are a few big problems with the security questions that a lot of businesses, websites, and other accounts rely on. Let’s discuss why these security questions don’t work, and what some alternatives might be.

So, What’s So Bad About These Security Questions?

Let’s walk through an example to illustrate just that!

So, let’s say I was a mean little cybercriminal, and I wanted to help myself to the contents of your bank account. So, I go to your bank’s website, which I confirmed by sending you a phishing message. I also happened to confirm your username (and why I didn’t just take your password along with it, the world may never know) which I can then input into the bank’s website.

Oh darn, I still need that password…or, I can click the handy little Forgot password? link next to the entry field. I’m presented with a few options for your security question, and I have an easy enough way to potentially deduce any of them.

What was your mother’s maiden name? Off to Facebook, for which you either haven’t set your privacy settings or an update reset them without your knowledge. From your profile, I can easily go through and find who your mother is, who just so happens to use her maiden name in her profile so old friends can find her. Security question answered.

What is your favorite book/movie/etc.? Again, Facebook can come in handy here, as it’s somewhat likely you set up your bank account’s web credentials at around the same time as your Facebook. Facebook lists out the books and movies and shows and general interests that people have, and these pages are never as popular as when a Facebook account is first created.

Otherwise, a little bit of perusing through your photos might tip me off, especially if I find countless pictures of you wearing Twilight merch in the early days of you having Facebook, or see lots of John Grisham novels in the background.

What was the name of your first pet? Once more, Facebook is a handy resource. All I’d have to do is search a profile for any mention of a pet and I’ve got a pretty good chance of finding the answer.

Once I’ve completed my bit of Facebook snooping, I can simply give the bank the answers they need for their “security” questions, and I now have total access to your finances.

Keep in mind that Facebook is just one social media platform, too. By posting our entire lives on the platform, we’re putting a lot of trust in their security and in our own capabilities not to overshare or create secure passwords.

It Gets Worse, Too

While it’s getting to be a little old at this point, a study conducted by Google back in 2015 found that many of these security questions have horrifyingly predictable answers.

For instance, the study found that an attacker had a 19.7% chance of correctly answering, “What is your favorite food?” if they only had one guess and knew that the user spoke English. If a user spoke Arabic and the attacker had ten guesses, they had a 24% chance of correctly answering “What was your first teacher’s name?” If the targeted user spoke Korean, ten guesses gave the attacker a 43% chance of answering “What is your favorite food?”

That’s not even mentioning how the cultural differences between the person writing the questions and the person using them to secure their account can pigeonhole the user into selecting a more-easily-guessed answer because these cultural differences make for different experiences. Maiden names aren’t a globally-accepted tradition, after all.

Finally, if the attacker has a bit of technical skill, they can always try a brute-force attack against the recovery question—which, without the complexity requirements that passwords are subject to, is likely to take much less time.

So, If Not Security Questions, What Can We Use to Secure Accounts?

There are a few measures that can be taken to improve security safeguards. For instance, multi-factor authentication and biometrics can make it easier to access your accounts, without making it easier for attackers to do so.

Reach out to us today to learn more about the different authentication and security measures that we can help you implement. Give us a call at 810.230.9455 today!

Oh, and go check that your social media accounts have the right privacy settings.