By Dave Moore, CISSP
07/10/2022
When you create an account on a website, many times you are required to setup so-called “security” questions and answers — where was your grandmother born, what’s your mother’s maiden name, where did you go to school, and so on.
Problems arise, though, when people give truthful answers to these questions, because they are giving answers that can be known by other people, or can be learned by some simple Web searching.
The way it works is, your account provider asks to record your answers to a set of questions, so if anything goes wrong with the account, they will ask you to answer the questions you have previously recorded in order for you to “authenticate” yourself. Answering the security questions is a way of proving to the account provider that you are who you say you are. Once you do that, you can regain control of the account.
That sounds like a great idea, but what if someone else knows or can find out the answers to your security questions?
This has been a problem for quite some time. Many celebrities have gotten in trouble because the answers to their security questions were common knowledge. For just one example, let’s examine what happened to Hollywood superstar Jennifer Lawrence.
Jennifer Lawrence’s iCloud account was hacked because some smarty-pants hacker guessed her security questions. If you know anything about Apple iCloud accounts, you know they can include all your Documents, your email, and, most dangerously, in Ms. Lawrence’s case, her personal photos, which included photos she did not intend for the rest of the world to see.
The problem is, there could be other people out there who know the answers to your security questions. In the case of Jennifer Lawrence, with her status as a big-shot celebrity, every single detail of her life, from birth to the present day, has been investigated, scrutinized, picked apart and recorded for the public record. But, not knowing any better, the naïve Ms. Lawrence gave truthful answers to her security questions.
This meant all Mr. Hacker had to do was go to the iCloud sign in page, and put in her Apple ID, something that is often easy to figure out, because most folks use some sort of an email address. Next, the bad guy clicked the “Forgot Apple ID or password” link, and started answering her security questions. The answers to the questions were easy-peasy to find out for someone like Jennifer Lawrence. What was the first car she owned? Look it up! Who was her first teacher? What was her first job? Do a Google search; it’s all on the Internet for someone like her.
How easy would it be for someone to find out the answers to your security questions? I’ll bet Jennifer wishes she had used fake answers to those questions, and that’s what I recommend to you: use fake answers. Don’t use answers to security questions that anybody in the world could know.
Give fake answers to security questions, such as “where did you meet your spouse?” Answer? “Vacuum cleaner.” What was the name of your dog? Answer: cheeseburger. Don’t use anything that is public knowledge, or that your kids or friends know, or that can be found on Facebook.
I often see peoples Facebook pages that literally have all the answers to their security questions, right there for the world to see. Hi – this is my Facebook page; here’s my full name, address, email and phone number. Here are the names of all my kids, where my kids go to school, the names of their pediatricians, my favorite hobbies, foods, where I met my spouse, my grandfathers middle name, my dog’s name, and the list goes on and on.
As if that wasn’t enough, some folks will add other details like, “and my favorite hobby is shopping, and you’ll find me at the mall every Sunday between two and four o’clock.” Great.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org