By Julie Ryan
What is your mother’s maiden name? What was your high school mascot? What is the name of the street you grew up on?
Security questions are used to enhance the protections associated with online activities. In order for a system to make sure that it is actually you who is logging in, after entering your username and password, you are presented with one or more questions that ask intimate questions about your life. You previously selected the questions — typically when you set up the account — and the answers are from your life. The idea is that only you would know the answers, because it requires arcane knowledge of your life.
I recently went through this process when I was asked to select some security questions for an online account.
The choice of questions presented to me was limited: Where did you grow up? What was your first job? Who was your first employer? What was your maternal grandmother’s first name? Where did you go to junior high school?
As I scanned the questions, each one triggered a response that screamed “Don’t pick that one!” Why? Because the answers to each one of the questions can be easily discovered, either because I had posted something on line or one of my friends had.
Where did I grow up? My friends and family on Facebook have pretty much made that bit of data common knowledge.
What was my first job and who was my first employer? My resume posted on LinkedIn pretty much makes that an easy grab.
What was my maternal grandmother’s first name? Thanks, all the genealogy programs out there for making that bit of information not very secret.
Where did I go to junior high school? That one, too, is pretty much open information due to my friends on Facebook.
So there I was, staring at the screen, wondering which question was the least dangerous for me to select. It took me a while, but finally I stumbled upon the only real solution to the conundrum: make up false answers to the questions. With details of my life history so easily discoverable, the original usefulness of the security questions had been compromised, but by making up a history that never existed, I could take advantage of the situation.
There is, of course, a catch: since I didn’t use my actual history, I can’t easily remember the answers. So I wrote them down. Not on paper, but in a password safe: a file that keeps sensitive information in encrypted form. When I need to recover a password that I use only once or twice a year, I log in to the application and retrieve the encrypted data. At last count, I had 53 separate accounts, each with different usernames and passwords. The password safe has been a sanity safety net. Now all I had to do was add the security questions and the fake answers.
Some may be wondering if I have an over-active imagination. The history of Sarah Palin’s email compromise during the 2008 election cycle illustrates the problem potential. The person who hacked her account gained access by being able to answer security questions used during a password reset process. He knew the answers simply by reading up on her. As such, he was able to reset her password and gain access to her email account.
Take-away message: social media and online research has reduced the number of things that can truly be considered private. Keep that in mind when choosing your security questions and answers.
Julie Ryan is currently an Associate Professor and Chair of Engineering Management and Systems Engineering at George Washington University. Dr. Ryan began her career in the US Air Force as a signals intelligence officer after graduating from the Air Force Academy. She transitioned to civil service in the Defense Intelligence Agency as a military intelligence officer and later left government service to work in industry. Dr. Ryan’s research interests lie in information security and information warfare. She has authored or co-authored scholarly articles in such journals as IEEE Security and Privacy IEEE Transactions on Computers. She is also the co-author of Defending your Digital Assets published by McGraw-Hill.