We’ve all done it- filled out a casual quiz on social media, or answered silly questions which, thinking about it, might be answers to those security questions they ask when you login… Let’s have a look at the reason behind security questions, and then ask ourselves: how can we remember all of this?
How tempted do you get when people share a personality test on Facebook, asking for your high school mascot or the name of your favorite food? It could look like a simple quiz, but you are at risk of exposing your personal information. What you may not realize is that these are the questions commonly used as security questions as part of the password reset policy at your workplace or personal accounts. The Plymouth Police Department shared this post asking people not to share their personal information on social media.
During the Yahoo credential hack in 2016 where at least 500 million of its users personal data was compromised, the data was not limited to hashed password and email addresses but also the security questions and answers that victims had chosen as a backup while trying to reset their password. This information is usually personal to the victim and is used across applications that the victim connects to on a daily basis. So, with any of that information being exposed, you are at risk connecting to other websites outside the Yahoo domain.
According to the Verizon 2021 Data breach investigations report, stolen credentials are usually the first threat vector to connect to the victim’s machine. Using this information, a hacker can send phishing emails and thus deploy malware in order to exfiltrate the victim’s machine. Most of the ransomware attacks that we read about in the news start with one vulnerable system that is under attack, which is then used to exploit the company’s information, often outright stealing or encrypting it.
If you ask the Security Professionals today, they will tell you that security questions should be abolished, or at least have a timed expiry date. Just as passwords can be set to have an expiry date, security questions must also be subjected to the same process: one where the user can periodically change the security questions and answers. But, until something like this is implemented, how does one make sure that the answers to their security questions remain intact? Just like you should have unique passwords across different applications, one cannot have unique security answers to questions across different applications. We cannot expect our brains to retain all this information.
However, there is one trick that security professionals share, with respect to answering the security questions. Instead of answering the questions with your personal information, answer them on behalf of a person. This person could be your favorite celebrity, favorite superhero, your idol, or your favorite TV star. For example, say your favorite superhero is Spiderman- Peter Parker; Answer the questions keeping this hero in mind and if he is your favorite, you would definitely know answers to questions like his mother’s name, his hometown, the name of his high school etc. But make sure that you do not share this character with anyone. Also, another best practice is if your organization provides you the option to choose a security question, restrict yourself from choosing simple questions like favorite ice cream flavor, name of your pet, favorite food etc. Because with ice cream flavors, you could always have 3 primary flavors that come to one’s mind while choosing the answer.
We know for a fact that we cannot completely restrict ourselves from sharing our personal information on social media but let’s make sure that we are not voluntarily sharing private information about our past, presently on the internet. Until we have better processes, such as passwordless authentication which is used globally, let’s refrain from answering the personality quiz or random quizzes that appear on the social media wall.
Need a little help finding out where to start on your security journey? Check out Idenhaus’ resources here. Want to chat about creating a better security and IAM plan? We can also do that – just contact us today.