Has anybody ever asked you this?
The way it works is, you take the name of your first pet, and the name of the street you grew up on.
Put those together and that’s supposed to be what your alias would be if you decided to, uh, switch careers.
Yeah, it’s cheeky, and kind of silly. But did you know this can be a type of phishing attack?
I didn’t, until a couple weeks ago.
Actually, the way I found out was a comment on LinkedIn on a post with a similar question.
Somebody mentioned to everybody that they should be careful about answering questions like that because it’s actually a type of phishing.
How Is This Phishing Exactly?
Have you ever forgotten your password? Who hasn’t, right?
Most places have you set up some security questions when you create a user. They’re meant to help distinguish you from anyone else who might want to try and get your password, by having you provide information that probably only you know.
So I did some searching and found a list of common security questions.
It had never hit me that the answer to this question could provide people with the answer to two security questions:
- What is the first and last name of your first boyfriend or girlfriend?
- Which phone number do you remember most from your childhood?
- What was your favorite place to visit as a child?
- Who is your favorite actor, musician, or artist?
- What is the name of your favorite pet?
- In what city were you born?
- What high school did you attend?
- What is the name of your first school?
- What is your favorite movie?
- What is your mother’s maiden name?
- What street did you grow up on?
- What was the make of your first car?
- When is your anniversary?
- What is your favorite color?
- What is your father’s middle name?
- What is the name of your first grade teacher?
- What was your high school mascot?
- Which is your favorite web browser?
I’m A Tester–How Can I Help?
There are many, many reports about data breaches and hacks. Oftentimes it’s difficult to tell where they come from.
Social Engineering, or phishing, is a known way to extract critical info out of users. I suspect this is being used to get around security questions too.
If you’re testing a project, and notice security questions, it’s time to ask: Can some of these questions be compromised?
Although these questions are convenient, some of them can be easy to glean. “What was the make of your first car?” would be known by anyone who knew you when you were a teenager. “What is your favorite color?” is actually a fairly common question too, along with “Hey where’d you go to high school anyway?” which can take care of the mascot one.
But there’s a catch to this too–sometimes an answer can change depending on a person’s circumstances.
My favorite color used to be black, but now I kind of like purple. If an old account had that question set up, and I gave the correct answer now, it would be wrong relative to when I set up the account.
There was a time where I’d set up an account and chosen, “What’s your favorite restaurant?” as the security question.
At the time, my favorite place was relative to where I was working. But then I changed jobs, and found an even better favorite place.
So when asked this question, did I remember the old favorite place? No.
(aside: it was a phone call I was on, and it took awhile, but I finally got into my account. Once I proved who I was, I asked the person what the answer to the other question was, and I hadn’t eaten at that place in years)
As a tester at a company, know that the company isn’t limited to these questions. The company isn’t even limited to using those types of questions–and there’s a solution further down.
They’re thinking about convenience, which these questions are convenient. Except for when they aren’t.
For the situation mentioned above, it makes for a bad experience if a user can’t log in because of a question they now have a different answer for.
For the situation mentioned even further up, it’s a bad experience too if the question is easy enough that the answer can be teased out with small talk.
Consider the quality of questions you’re using–do they stand the test of time? Are they secure?
If not, pick different questions.
Or, try a more creative approach! Companies that want to be cutting edge do things differently than others, just to stand out.
Maybe there’s a better way to allow users to prove themselves without using security questions.
Maybe they don’t need a login at all?
Can you think of a better way to ensure that the correct user accesses the correct account?
I’m A User–Am I Hosed?
Nope. In fact I’d say you have more weapons at your disposal, now, to prevent this kind of problem from happening to you.
The reason for security questions is because until password vaults came around, this was how sites determined user authenticity.
I think these types of questions are just a holdover from back when users didn’t have a reliable method of password storage. So you’re not limited to answering these questions the “right way”. There’s nothing stopping you from giving a non sequitur answer of “tomatoes” to the question “where did you go to high school?”
Which, oddball answers like that could be stored in the Notes section of a password vault.
But, as a user, be careful what info you volunteer too. I would not be surprised if there’s a database out there somewhere, quietly being populated with snippets of possible correct pieces of info about you and me, based on what’s available already.
Hey, if you like this blog, consider following by clicking the Follow button. You’ll get an email when a new post is hot off the Press.
Feel free to share with your friends, groups or professional network, by clicking the appropriate button.