Looking Beyond Strong Passwords

Mike Winslow, IAM Consultant, SecureITsource, Inc. Recently I was setting up online access for one of my financial accounts. It had all the basic requests for information; first name, last name, birthdate, address, account number, you know, all the typical personal data such a website would need to enroll you in online access. Next came choosing an ID and password. No brainer here too. They used my email address as the username and I have a pretty good algorithm for creating strong, secure passwords. But it was the next section that gave me pause. They wanted me to select 5 security questions in case they needed to verify my identity for password resets or other types of access.

What is your mother’s maiden name?

In what city were you born?

What is your father’s middle name?

Who was the best man at your wedding?

What is the name of your pet?

As I looked over the questions I started to wonder just how much security these questions and answers were going to provide. Supposedly these are questions and answers that only I would know the answers too right? Wrong! If you’re married or divorced, your current or ex-spouse knows the answers. Your children probably know the answers. Your best friend probably knows the answers. Even if I don’t know you, if I were to get hold of your birth certificate I would have the answers to the first three questions. A carefully crafted bit of social engineering could get the answers to the rest.

I’m sure your wife, children, parents, or friends care too much about you to ever try and hack into your financial accounts. They would never think about stealing your identity to open accounts for their personal use. But when it comes to security, sometimes you have to think the worst. Here’s why:

According to Javelin Research and Strategy’s 2014 Identity Fraud Report, familiar fraud victims made up 0.35 percent of adult consumers in the U.S. in 2013. If projected across the population, that figure would mean 847,000 American victims of identity theft knew their thief. Experts say that projection is likely too low.

“Based on my experience, it’s pretty regular and it’s pretty underreported,” said Jennifer Peters, a certified credit counselor with Consumer Credit Counseling Service of West Georgia/East Alabama. “Very often [victims] know and aren’t going to do anything about it.” [1]

“That would never happen to me”, you think. But what if it is possible for you to become a victim? What can you do to protect yourself from becoming one of the 847,000 plus yearly victims of familiar fraud? How can you prevent someone close to you from hacking into your personal financial or other accounts?

The answer is simple, LIE!

Yes, you read that right. Lie! When it comes to providing answers to questions that are so easy to find, did you ever stop to think that no one ever checks the validity of your security question answers? No one cares what the answers are. No one is going to track down Batman to see if he was the best man at your wedding. No one is going to check your birth certificate to see if you really were born in Gotham. No one is going to check to see if your mother’s maiden name is Kardashian. The problem with security questions is that most sites use the same ones and most people give the same, truthful answers. But besides that, the answers are extremely easy to figure out, especially if you answer with the truth. That’s what makes the way you answer these security questions so critical.

The purpose of security questions is to establish proof of identity not validate your life story. If the majority of security questions have answers that can be found via public sources or by an expert phisher, why use them? You would never think to use them as passwords so why use them in this situation and make it easier for the bad guys to steal your identity? If everyone is asked to answer the same set of questions and everyone provides the truth for the answers, the bad guys won’t have much difficulty figuring them out. That’s why you have to lie.

If you lie, only you are going to know the answer to the question. That makes the question a true check of your identity. Of course as with any good lie, it is harder to remember a lie than it is the truth. So how do you remember what lies you told as the answers to your security questions?

What I have found easiest is to come up with an alternative identity and then answer the questions from that person’s perspective. Since you are trying to protect yourself from identity theft, why not steal someone else’s identity? But don’t steal a real person’s identity. Steal your favorite fictional character’s identity.

A character that you know and love. A character you know everything about. As an example I have selected some commonly asked security questions and then used Homer Simpson for the answers.

Name the place you’d go to on your ideal vacation.

KrustyLand

What is your most unique characteristic?

Yellow Skin

What was your first dog’s name?

Santa’s Little Helper

What was your first cat’s name?

Snowball

What is your youngest child’s nickname?

Maggie

What is your eldest child’s nickname?

El Barto

In what city did you get engaged?

Springfield

Somebody can phish me all day long and never find out that my most unique characteristic is yellow skin or that I got engaged in Springfield because neither of those two answers are true. And before anyone asks, no I don’t use the Simpson’s to answer my security questions.

The main thing to remember is that you want to use a character or character universe that is well known to you and will provide a variety of answers to any potential security question you are asked. When you do, remember that the rules for coming up with your alternate identity are the same rules that apply to creating strong passwords. You don’t use your children’s names as passwords or significant dates as pin numbers. So if you wear a Wolverine T-shirt 24/7 365 don’t use him as your source for answers.

Whatever you choose to do when it comes to answering security questions remember that the answers are not relevant to the purpose of the account. All you are doing is creating a virtual secret handshake. And in a virtual world you can be anybody you want to be, even Homer Simpson. DOH!

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced consultants help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.

Visit our website at http://www.secureitsource.com

[1] Kossman, Sienna. (2014, March 13) Familiar fraud: When family and friends steal your identity. Retrieved from http://www.creditcards.com/credit-card-news/familiar_fraud-damage-1282.php