Answers to your security questions aren’t so secure

Take the time to set up other methods that are more effective for avoiding identity theft

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

If you’re pro­tect­ing impor­tant per­son­al accounts with noth­ing more than a few secu­ri­ty ques­tions, it may be time for an upgrade.

Adam Levin, chairman and co-founder of Credit.com and IDT911
Adam Levin, chair­man and co-founder of Credit.com and IDT911

A study from Google recent­ly com­pared the use of secu­ri­ty ques­tions to oth­er account recov­ery meth­ods like SMS (short text mes­sages) and an alter­na­tive email address. It found that true or made-up respons­es to ques­tions like, “What was your mother’s maid­en name?” or spe­cif­ic answers to prompts such as “favorite super­hero,” “first car” or “child­hood phone num­ber,” weren’t a reli­able way to recov­er or pro­tect an account.

The basic take­away is sim­ple: Account recov­ery (or account takeover) is eas­i­er to accom­plish when using “secu­ri­ty ques­tions” because too often answers to those ques­tions can be guessed and/or fig­ured out through a process of elim­i­na­tion. The oth­er meth­ods, like SMS or email recov­ery, require a would-be scam­mer to have a user’s phone or know how to access the alter­nate email account used to receive the recov­ery link. While the study was Google-cen­tric, the same goes for any site you vis­it that allows users to answer secu­ri­ty ques­tions in order to regain access to an account when they for­got their user name or password.

I’ve advo­cat­ed a form of strate­gic lying as a way to foil would-be account takeovers, which I explain in my book Swiped: How to Pro­tect Your­self in a World Full of Scam­mers, Phish­ers, and Iden­ti­ty Thieves. While I still think it’s a good strat­e­gy, the prob­lem with this tac­tic, as high­light­ed by the Google study, is the qual­i­ty of lies told. The most impor­tant issue is memorability.

Swiped book cover_400The Google study sug­gests that most peo­ple aren’t very good at lying, at least when con­jur­ing up answers to secu­ri­ty ques­tions. The authors saw, “a very sharp decline with­in one month of enroll­ment for [mem­o­ra­bil­i­ty of] all ques­tions. This is par­tic­u­lar­ly true for ‘favorite food’ and ‘child­hood best friend,’ ques­tions which are not nec­es­sar­i­ly fac­tu­al and to which users may change their minds or have to choose from among sev­er­al pos­si­bil­i­ties at the time of enrollment.”

While I still think strate­gic lying works, it’s no longer the best strat­e­gy. It only works if you can avoid the pit­falls uncov­ered in the Google study, and that might be a pret­ty big “if.”

What were those pitfalls?

The study found that 16 per­cent of secu­ri­ty ques­tions had answers “rou­tine­ly list­ed pub­licly in online social-net­work­ing pro­files.” Live by the share, die by the share.

This held true even if the users had all their pri­va­cy set­tings tog­gled tight, because would-be hijack­ers could use some­thing called an infer­ence attack method, where­by sen­si­tive infor­ma­tion can be found (or guessed) by surf­ing the time­lines and oth­er social shar­ing of a user’s friends.

Iden­ti­ty-relat­ed crime is often a fam­i­ly (and friends) affair. The study found that part­ners, fam­i­ly mem­bers, friends and even acquain­tances, had a pret­ty good shot at guess­ing their way into your accounts. As not­ed, “Schechter et al. found in a lab­o­ra­to­ry study that acquain­tances could guess 17 per­cent of answers cor­rect­ly in five tries or few­er, con­firm­ing sim­i­lar results from ear­li­er user studies.”

This is how “Nude­gate” hap­pened in 2014, only in that instance the prob­lem was the ease of guess­ing celebri­ties’ secu­ri­ty questions—people who lived in the pub­lic eye, had been inter­viewed exhaus­tive­ly, and had few secrets. Make no mis­take, when it comes to iden­ti­ty-relat­ed crimes and the peo­ple who com­mit them, we are all celebrities.

The study also found that oth­er ques­tions could be answered by dip­ping into pub­licly acces­si­ble records. Among the instances of low-secu­ri­ty ques­tions, the study found that “at least 30 per­cent of Texas res­i­dents’ moth­ers’ maid­en names can be deduced from birth and mar­riage records.” Many oth­er poten­tial ques­tions had “very few pos­si­ble answers,” one exam­ple being “favorite superhero.”

Final­ly, there was social engi­neer­ing. This is a con­stant issue. In one cit­ed study, the researchers “were able to extract answers to per­son­al knowl­edge ques­tions from 92 per­cent of users via email phishing.”

What you can do

Mark Twain said it first (and per­haps best): “If you tell the truth, you don’t have to remem­ber any­thing.” Unfor­tu­nate­ly, if you tend to tell the truth about your­self via social media, the truth may well get you “got” when it comes to secu­ri­ty pro­to­cols on the sites you log into. If you’re not good at mak­ing up good lies and remem­ber­ing them—or you just don’t want the hassle—you might want to set up SMS recovery.

Hav­ing a PIN code or tem­po­rary pass­word sent to your phone via SMS, or a reset link sent via email to an alter­nate account, seems to be the safer and more reli­able option for account recov­ery, because the chances a would-be attack­er has access to your phone or your recov­ery email account (if you have one) is just not as good as the chances of a good scam artist fig­ur­ing out the answers to your secu­ri­ty questions.

If you still don’t want to give the mega giant har­vesters of per­son­al­ly iden­ti­fi­able infor­ma­tion your phone num­ber for two-fac­tor authen­ti­ca­tion, become a bet­ter liar. Giv­en the high degree of for­get­table secu­ri­ty ques­tions, try a sys­tem that mix­es the truth with some­thing unknow­able, or at least hard to guess. Maybe you can sprin­kle some sim­ple math in the answer, or make all the dates a month and five days wrong.

Only you know what will work in terms of mem­o­ra­bil­i­ty, but you can nev­er know what won’t work when it comes to keep­ing the bad guys out of your busi­ness. And, if you think the bad guys already may have your infor­ma­tion, you should check your cred­it for signs of deep­er iden­ti­ty theft. You can do so by pulling your cred­it reports for free each year at AnnualCreditReport.com and view­ing your cred­it scores for free each month on Credit.com.

Regard­less what you decide to do, be care­ful. With iden­ti­ty-relat­ed crimes being the third cer­tain­ty in life, you need more than luck and a half-heart­ed secu­ri­ty pro­to­col to defend against the threats that are “out there” 24÷7÷365.

More on iden­ti­ty theft:
Iden­ti­ty Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Iden­ti­ty Has Been Stolen?

Full dis­clo­sure: IDT911 spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its partners.

Adam Levin is chair­man and co-founder of Credit.com and Iden­ti­ty Theft 911. His expe­ri­ence as for­mer direc­tor of the New Jer­sey Divi­sion of Con­sumer Affairs gives him unique insight into con­sumer pri­va­cy, leg­is­la­tion and finan­cial advo­ca­cy. He is a nation­al­ly rec­og­nized expert on iden­ti­ty theft and credit.