Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
Setting security questions to add a layer of security to your online accounts can actually make it easier to hack your accounts. Largely due to social media sharing, the personal information that we often use for these security questions is leaking out. We need to start using fake security questions to throw attackers off our trail.
Accounts Compromised Through Security Questions
Many account breaches can be executed through security question verification. The recent hack on iCloud is a case in point. Apple has maintained all throughout that internal security was not the problem. Now they say that after studying the breach, security questions are partly to blame. Hackers were able to gain access to the accounts of several celebrities through this verification method.
Apple has said that they will step up security, but users need to do their part to create security questions that no one can guess. Usernames and passwords need to bet better, too. Apple said that the attack that caused the release of many private celebrity photos was a targeted attack on these three security elements. This type of attack is very common because people are simply not paying enough attention to the strength of their login credentials and protecting them from sniffing software.
This is surprising since there was another similar high profile email hack in 2008. A student got into the Yahoo account of Sarah Palin, who was running for vice president. Her information ended up in the same place where the iCloud celebrity photos were posted, on 4chan. People really need to understand that they need to take responsibility for their own security.
Fake Security Questions Can Thwart Hacks
Security questions have become access points rather than security measures. This is largely due to the amount of information we share on social media sites. Like usernames and passwords, we often select security questions and answers that are easy for us to remember. This means that they have some connection to our personal lives. These types of credentials would be the safest if not for excessive sharing of personal information online. The solution here is to invent a set of security questions and answers that is not real so that it cannot be deduced.
A typical security question would be a pet’s name or a nickname. Normally this would not be easy to guess. But because we tell so much about ourselves online, the information is leaked out or becomes easy to figure out. This is particularly true for celebrities, whose lives are thoroughly researched and reported by entertainment media. Using fake security questions will throw off hackers, who will go through lists of probable questions and answers before trying brute force attacks. By this time, the unusual activity will most likely get flagged.
Some website allow users to create their own questions, but others have us select from a list. These lists are often very simple questions that are not very private. For instance, the site will ask for a previous address or the middle name of a parent. With a bit of research, this information can be easily obtained. Fake sets of answers to these common security questions can prevent anyone from getting the right answer. But the fake answers need to be totally disconnected from anything that a user might talk about, whether online or offline. For instance, answer your mother’s middle name as, “you would like to know, wouldn’t you?” Or give your pet’s name as, “the most unique name ever thought up by a kid.” Long answers are harder to guess, and the more interesting the answer, the better. Some websites also have a security measure that locks down an account after too many unsuccessful sign in attempts. With fake security questions, they will probably get locked out and reported before they even get close to cracking the account.
Some people might argue that security question technology is obviously outdated and needs to be changed. But it is integrated into so many websites that it cannot be easily switched out for something better. Most websites would not even agree to try because it would be a huge and expensive endeavor. All we users can do is work around it, which means using security questions and answers that no one can guess.