Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.
I’m willing to bet that a good percentage of regular readers here would never respond — honestly or otherwise — to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks — particularly Facebook — seem positively overrun with these data-harvesting schemes. What’s more, I’m constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
Consider, for example, the following quiz posted to Facebook by San Benito Tire Pros, a tire and auto repair shop in California. It asks Facebook users, “What car did you learn to drive stick shift on?”
I hope this is painfully obvious, but for many people the answer will be the same as to the question, “What was the make and model of your first car?”, which is one of several “secret questions” most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password.
Probably the most well-known and common secret question, “what was the name of your first pet,” comes up in a number of Facebook quizzes that, incredibly, thousands of people answer willingly and (apparently) truthfully. When I saw this one I was reminded of this hilarious 2007 Daily Show interview wherein Jon Stewart has Microsoft co-founder Bill Gates on and tries to slyly ask him the name of his first pet.
Womenworking.com asked a variation on this same question of their huge Facebook following and received an impressive number of responses:
Here’s a great one from springchicken.co.uk, an e-commerce site in the United Kingdom. It asks users to publicly state the answer to yet another common secret question: “What street did you grow up on?”
This question, from the Facebook account of Rving.how — a site for owners of recreational vehicles — asks: “What was your first job?” How the answer to this question might possibly relate to RV camping is beyond me, but that didn’t stop people from responding.
The question, “What was your high school mascot” is another common secret question, and yet you can find this one floating around lots of Facebook profiles:
Among the most common secret questions is, “Where did you meet your spouse or partner?” Loads of people like to share this information online as well, it seems:
Here’s another gem from the Womenworking Facebook page. Who hasn’t had to use the next secret question at some point? Answering this truthfully — in a Facebook quiz or on your profile somewhere — is a bad idea.
Do you remember your first grade teacher’s name? Don’t worry, if you forget it after answering this question, Facebook will remember it for you:
I’ve never seen a “what was the first concert you ever saw” secret question, but it is unique as secret questions go and I wouldn’t be surprised if some companies use this one. “What is your favorite band?” is definitely a common secret question, however:
Giving away information about yourself, your likes and preferences, etc., can lead to all kinds of unexpected consequences. This practice may even help turn the tide of elections. Just take the ongoing scandal involving Cambridge Analytica, which reportedly collected data on more than 50 million Facebook users without their consent and then used this information to build behavioral models to target potential voters in various political campaigns.
I hope readers don’t interpret this story as KrebsOnSecurity endorsing secret questions as a valid form of authentication. In fact, I have railed against this practice for years, precisely because the answers often are so easily found using online services and social media profiles.
But if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully. Just make sure you have a method for remembering your phony answer, in case you forget the lie somewhere down the road.
Many thanks to RonM for assistance with this post.
I think you have it backwards, here.
Instead of urging people to NOT reveal details about their life such as their first pet’s name, you should urge them to answer all password reset questions with at the very least irrelevant answers, or a password reset password.
What’s broken is the password reset system. It should not be asking for things you know, that you may have shared with others. Idealy you’d use devices you own together with a passcode or biometric id on the device. Of course you trust your device but you have to trust the user agent you’re using anyway.
Perhaps you should read the entire story.
> Perhaps you should read the entire story.
Perhaps you should’ve written it differently.
People on the web read headlines. Then sub-headings. Bold text and links. First bits of paragraphs. They look at images.
Know your medium. This is the web. You’re not writing a novel. It’s a near guarantee only a tiny percentage will read every word.
Also, your article will often get shared for its title. Some people won’t even ever open the article before resharing because they agree.
The comment on your piece was valid in that you didn’t convey your thoughts clearly enough. Next time, perhaps put in a headline about how secret questions are the real problem, so people will catch it even when scanning its content.
Having said all of that; I think the article is really interesting and I hadn’t thought of any of this, so thanks for highlighting it. Made me wiser.
I read full web articles. If people don’t like to then they’re not qualified to comment. They can take their 140 character attention span somewhere else and leave the forum for the tiny percentage of people I actually want to hear from.
Perhaps people should read the web as they would read a good book.
Dirk, you’re part of the clickbait problem if you defend the “headline readers” who feel qualified to leave a comment, spreading their useless misinformation. I have no time for headline readers and “first paragraph” readers who think they know everything.
As someone said above, don’t comment if you are not prepared to read a short article.
Ebay is guilty of demanding secret questions/answers, although it can be skipped it’s not straight forward how to skip. It’s amazing that these personal questions are still in use. As others have pointed out, the best approach is to enter an unrelated “password” as the answer to the question. Inconvenient but smarter that providing a truthful answer.
Brian could have the clickbaitiest article titles in the world, and people would still read the posts end to end: its not like this is some 2 but tips blog: hundreds of thousands of active readers.
Mate if you wanna look at picturess and read headlines go back to BuzzFeed.. Not that hard to read an article.
Hi. I read full web articles.
Sometimes I even read down into the comments to respond to silliness like this.
Thanks for the nice compliment and for your feedback. I realize that plenty of people read stories like the ones here just like you describe, skimming a sentence here or there, looking at the pictures, and then either going away or leaving a comment based on 10 seconds of reading.
I like to think that I know my medium pretty well, having built a living around this tiny little site, and you know what? I’ve found that people come here for the exact opposite reason you suggest: Which is that I try to communicate complex topics very simply through stories that are relatable by a broad spectrum of readers with a broad spectrum of knowledge, and very often that storytelling involves details that require my not assuming my readers have certain knowledge. Maybe some do, and some don’t.
But with all due respect, if you just want headlines and summaries, that’s what RSS is for (although, in fairness, my RSS feed is — as a consequence of reader feedback — full text, not summaries). There’s a reason that right under the banner of KrebsOnSecurity at the top of this page it says, “In-depth news and investigation.” If you want shallow news and investigation, the internet is replete with these wading pools.
I appreciate what you do, Brian. Thank you.
What you do is good, Brian.
It seems the person forgot YOUR audience.
Most of the time I take what you write, reformat it in a way so the layperson and the people I look after as a SysAdmin will understand it and pass it on.
I can asure you the information you give on you blog is highly appreciated.
How should have he written it differently? In another language? Maybe backwards or without spaces?
Sorry I didn’t read beyond the first sentence of your comment so I just wanted to get some clarity.
I read full articles … sometimes.
Most of the time I just skim to see if I should read it or not.
I didn’t notice the other part of the problem in the article until Gregory Magarshak’s comment and Brian’s reply.
It wouldn’t hurt to add a header or separator for the other part of the problem.
And personally, I didn’t see the point point of the pictures in that particular article, but that’s just me.
Dirk, do you even know how to read? If you are just skimming, well then, you will only glean, maybe 60% of the information in articles! So what if you can read fast!!! The devil is in the details! Critical thinkers are disappearing on this planet. I believe Mr. Krebs did due diligence with this article!
Interesting how some random guy decides his solution is the best and then degrades the author – ***h**e
I found the article to be well written and very informative for so many that fall into common traps out there without ever even thinking about it. The reality is that people give way too much information about themselves that leads to compromising their digital and actual life. Given that fact and the fact that mobile devices are compromised all the time we really need to come up with better security solutions. Biometrics are great but they too can be hacked fairly easily. There are very few bullet proof solutions out there and the ones that are hardened tend to introduce user complexities that people just won’t tolerate. I like the remote wipe data breach protection solutions like http://www.drivestrike.com as well as the native ones that are supported most devices. Again it ends up being a balance between user convenience to access their data and the level of security you need to protect your data.
A walled garden approach tends to be best, high wall that is heavily defended but once your in your in and free to do whatever. I guess most people don’t fully understand that you are only as safe as your credentials.
Dirk, you are a moroan.
This is ugly.
Yes, your reader should have caught the bit at the end. But I can see why he skipped over the conclusion, considering the body of this article is snark with pretty pictures.
I think it a bit mean-spirited to cut him down with an RTFM and rally off of a weird influx of cult bandwagoneers to toot your horn, considering you both agree on the same darn thing. “my little site” please.
Nobody is required to read an entertainment piece in full. A good reader will skip past the fluff and get to the good stuff. Maybe they miss it though. Not all of our articles are white paper worthy.
I want more people to read your work. I have been telling my friends about this problem for years. So please, respect your readership, and have some humility. They want to engage with you.
Thanks for the feedback. I guess I get tired of reading comments like the one that started this thread when I work hard to be as thorough as possible in my stories and to include a breadth of information, tips and suggestions, and when the information the commenter said wasn’t in the story was actually in the story.
More to the point, this story was aimed at changing the behavior of users, not of companies. As I said in the piece, I’ve railed countless times against companies for forcing their users to pick secret questions in the first place, and I can point to probably a dozen stories over the years where I’ve called companies out by name for just this practice.
The reason the story isn’t about how companies shouldn’t use secret questions is that they’re going to whether consumers want them to or not, as evidenced by the fact that countless companies still do. Also, many people are exposed because they forget that they set up accounts this way, and there’s often no easy way for them to tell if those secret questions are still used.
Absent any movement on a guilty company’s part to change that practice, it falls to users to be a lot more judicious about what information they put online. This is something they can change on their own. The other isn’t. Hence, why the story is about changing user behavior, and why the gripe about companies still relying on secret questions is at the bottom. We can justifiably gripe about ill-conceived corporate policies that effectively “blame the user” until we’re blue in the face, but the main thing that matters is that end users don’t play along with this foolishness, and more importantly don’t enable bad people who would abuse this unfortunate reality.
Brian you are doing a great job and I love coming back to your site and reading each and every one of your articles. Keep up the good work!!
And yes after reading some of the comments above it’s obvious that not everyone can be expected to be appreciative of the efforts you are putting in to raise cyber awareness and make the Internet a safer place, but hey there way many more of us who wait for your next article and also direct a lot of people to your site. Thanks Brian!
Brian – great job with the article! Sure there are a lot of pictures but they are relevant and help tell the story. Sheeple tend to get caught up in answering questions to things they don’t consider as a threat and in the end get screwed. Thanks for the article – well written – thoughtful – complete…
I agree with your position that secret questions are dangerous, and the solution for consumers is to give answers that aren’t truthful or are unrelated to the question. What I would like to hear, from you and from your readers, is what ideas do people have for a good alternative. I have been faced with an organization losing control of its website because the person who knew the password was gone and the hosting company either didn’t have a procedure for regaining access in that situation or the customer service people didn’t know the procedure. What can be done to establish the identity/authority of an account owner while maintaining security?
Hey Brian, at least the guy read something. Kind of. 🙂
Most of my users are apparently incapable of reading even short pithy sentences in a FAQ. So much so, I’m about convinced if you have a FAQ at all, you end up with more ridiculous questions than with none at all.
And if some people thought that your response was ugly… HAHAHA! They don’t want to know what I say. 😉
Anyway, long time reader. Keep up the great work! 😀
I always tell people to go to https://www.familytreenow.com/optout and remove their name and their family members’ names.
It claims to be a free genealogical data base that conveniently provides the addresses of ALL the places a person has lived. Those questions are often used as security questions for financial entities that have access to credit reports.
It was in the new about two years ago, but the focus was on concern that cops had that people they arrested could find the cop’s home addresses.
Thank you so much for alerting us to the family tree opt out… I could not believe how much personal info was listed under my name.
The problem with these “opt out” choices is that you inadvertently confirm or disconfirm their records. What guarantees do these data harvesting sites give to us “users” that they will not continue to use or sell that information?
I don’t trust that opt out process on that Family Tree site. Be careful.
That genealogy site is scary. It’s bad enough they have information on ordinary citizens, but they even have private information on the President. Like him or not, that’s plain irresponsible.
Even worse are the intimidating questions, at a check out station at a store: What is your phone number? What is your zipcode? People can’t blather out the answers fast enough! NONE of those questions has anything to do with completing the purchase transaction!!! I usually simply reply, “no.” If I am challenged by the clerk, who is only following her instructed job procedures, I repeat nothing more than “no.”
One time I got into it with manager who was called over. I stated that they needed NONE of that information for us to complete business with each other. She insisted. So did I. I said I could easily buy my items elsewhere and not be harassed, which is what I did. I parted by saying, change your policies. And if you have nothing to do with making the policies, pass the message on to those who do!
Some stores no longer force the issue, but I still hear people freely rattle off personal information, as if it is against the law to refuse, as if they immediately will be incarcerated for refusal — Go to jail. Go immediately to jail. Do not pass go. Do not collect . . . . . . .
Collecting demographics and marketing data is WAY out of control! We must stop this!
i use the slightly more polite, “no thank you”
Years ago, we attempted to buy several iphones with cash from Nebraska Furniture. When I refused to provide a phone number, it escalated into a 10 minute claw up the hierarchy there. Ultimately we left without buying anything….but soon after fired off a snail mail letter to their CEO.
Turns out those robots were wrong. They could have collected that purchase….just didn’t know their job. We’ve never gone back, will never go back.
Find the level of social “compliance” frightening these days. Fear that the only reason we haven’t yet seen cannibalism on demand is because these “dear leaders” never passed out the forks.
We’re as low key a party as a retailer will ever get. Low maintenance. Always have our order ready with cash….with near non existent returns. Begs question: Who is hiring these marketing “geniuses” to drive away customers? Do their stockholders know?
Just wait. Forks come eventually. It is a common theme in declined+fallen empires. Consider that Swift’s “modest proposal” came when Irish were being sold as an inferior species of human/great-ape.
Under these circumstances I often just give a false phone number.
I use my old landline phone number which was disconnected several years ago.
Another trick that has worked well for me is purchasing a cheap flip phone with prepaid minutes from a company like Tracfone. I buy the phone in one place and then pay for my minutes in cash somewhere else. This is the phone number I give to exes or ex friends when I run into them in some public place and they want to get in touch with me in the future. I think the TracFone service ends up costing me around eight dollars a month and I pay for it in three or six month increments.
Ha ha I also give it to collection agencies. Need to call me? Here you go here’s my number
I was affected by the Equifax breach. Since then, I’ve been removing myself from public data websites which is very very hard to do. Everyone has different opt out procedures (if they work). It’s very time consuming. And, the opt out only lasts a few months.
There are hundreds of public data sites, many of them foreign owned. There were 3 that had opt-out instructions that did not work. I ended up filing BBB and FTC complaints with them. I was successful with 2. I’m pursuing the last one thru my state’s attorney office for consumer complaints.
I like the last paragraph best. Instead of answering with an obvious answer, I answer with something RELATED to the obvious answer, and I keep a record when a site requires these answers… For example, instead of answering “67 Dodge Dart”, I would use something like “dartboard”, or “bullseye”, or the knickname my brother gave the car. (btw, I’ve never driven a Dodge Dart…) =D
That’s a clever trick, using the real make and model as a “fake example” to “narrow down” peoples search space 😉
I kinda feel like- if you’re using a good encrypted password safe- how related or unrelated your answers to KBA don’t matter much.
You just have to note it alongside the other details for the account and of course keep the file itself safe.
Your “answer” could be a random string of letters and numbers, spat out by a password generator. It could also be a lot LONGER than most orgs will let you create for a password, since the “answer” format is built for at least a sentence worth of text.
As long as you can call it back when you need it, your answer could be anything.
And if of course you can opt out of KBA, that’s for the best- but as Brian and others have pointed it out, sites and orgs still frequently make it a requirement. In some fairness because it’s a familiar pattern for their users and they see no reason to change it.
I’ve seen ‘What was your first concert?’ as a password recovery question on quite a few sites.
Still waiting for a quiz with a “what’s your mother’s maiden name”
That’s almost as bad as the two I had on my Bank’s demanded p/w reset:
What are the last 5 digits of your favorite Frequent Flyer card?
What are the last 5 digits of your favorite credit card?
Oh .. and don’t forget:
What are the last 5 digits of your Student ID card?
What was the name of your favorite childhood toy?
And then the Bank brags about their security …
My first pet was a dinosaur. It was all good until one day he tried to eat my aunt. Long story short I miss him.
The problem here is that the people reading your missive are not the people who answer these things.
In the future when I see these, my comment will be a link to your article.
“What is your maiden name?”
My password manager responds:
“What is your favorite pet?”
My password manager responds:
Either you fluffed the punchline, or your Password Manager needs a little entropy added 🙂
True, but still better than a fact.
An interesting view on it. I must admit I do not enter these quizes or even like/share them. What did amaze me though was when I used to run them for a pets page I had on FB just how much people are willing to share about themselves….
So, who was your first sexual partner?
A few weeks ago i received a phone call that i let to go voice mail. It was a person reading from a script saying that Mr xxxx had a claim against him and he needed to return the call gave a case number and phone number. No details about the organization calling. There were several things that surprised me a little. While i am related to Mr xxxx, I legally changed my name thirty years ago and I have not talked to Mr xxxx in twenty-five years. My phone number is registered to my spouse on a family plan.
I have no presence on social media. Yet this debt collector (or scammer) was able to use available aggregating databases to track me down as a relative of Mr xxxx.
There may not be anything nefarious. Mr. XXX may simply have given your information when applying for a car loan or the like.
Brian you are doing a great job and I love coming back to your site and reading each and every one of your articles. Keep up the good work!!
And yes after reading the comments above it’s obvious that not everyone can be expected to be appreciative of the efforts you are putting in to raise cyber awareness and make the Internet a safer place, but hey there way many more of us who wait for your next article and also direct a lot of people to your site.
Personal security questions appear here to stay.
1. Use a random Wikipedia article or two at https://en.wikipedia.org/wiki/Special:Random#/random to answer each question.
2. Save the random answers as passwords in your password manager in a section beneath the username/password entry.
Really liked this article, Brian. It’s unfortunate that people like to diss it instead of trying to understand the concept being conveyed. No article is perfect, but definitely doesn’t mean they lack value.
I’m just curious as to the community’s view on answering these quizzes, but incorrectly.
Isn’t data feed poisoning more useful than a known blank spot?
I must be the odd duck where I read every word of an article before I even think of sharing it with anyone, and I will share this one as it backed up my chiding of friends who forward those ‘questions’.
This is my #2 internet pet peeve.
#1 is forwarding of stories that haven’t been ‘snoped’
Very well written article!
The questions are frustrating. I tried using a password to use for all my answers, but some of them deny the entry if it has a special character. Another site asked for a name of a person for a certain event and the name was very short, and was denied because it was not enough characters. So, the system is just broke from point of view and I agree with Brian on this article. Gret information.
I hope you don’t mind that I’m spamming every one of these posts that show up on my FB feed with the link to this article now. You’ve articulated this issue better than I have even been able to explain it in a FB comment. 🙂
This doesn’t worry me. My bank and credit cards have sophisticated authentication procedures that include trick questions for verification.
Thank You! you are a really good blogger, I like your articles.
I NEVER read the entire article/ story/ piece/etc. and I am able to glean from the little bit I do read pretty much the entire subject with all the little things many people miss, with about a frequency of ≈90%. And honestly, it is, at its core, raw discrimination towards the people who do like ketchup/catsup on their hotdogs. LOL Sorry, just a little nod that is loaded with contempt towards the knuckleheads >cough-coughdirkcough-cough< who only skim stories on a website that has a super high percentage of stories that are chock full of substance written by people who are-wait for it-very likely to write their next article with extra meaty proportions, as well! Here's the middle, so we gotta pander–"DOWN WITH MUSTARD!" she screamed, running at me with a KETCHUP BOTTLE…WITH THE FLIP-TOP WIDE OPEN! Then, to my utter surprise, she–okay sorry about that. Where was I? Right. Brian, I was honestly blown away. I am VERY grateful to you for sharing your important and relevant knowledge. And, I am willing to bet that you have already saved and will continue to save a lot of people (hopefully even those who are not clever enough to gather from the title alone the value of an article like this one), a boat-load of money. Okay, okayyy I think maybe you could have worded the title a little tiny bit better. What if, oops, hang on, gotta add some cover: http://www.myhotdog_mycondiment.com okay, so what if you had this as a title 'I am Going to Take Your Money!' and as a sub-title, 'And You Will Be to Blame!'? No, I would not change a thing, but part of it technically would be true. If they don't want to follow your sound advice, then they WOULD/COULD lose a lot of money. Now we have to figure out how to get the money to YOU. I, for one, think you should at least get a percentage of money that you DID warn them about. Is is your fault that they chose to skim the money-saving advice? Nope. So, I am grateful for the great information you gave us. Thank You, Brian.
I WILL END THIS RANT WITH THE FACT THAT KETCHUP IS EEEEVVIILLLL! EVIL, I TELL YOU! LONG LIVE MUSTARD!
Great post. Should share this off with others. I know a lot of family members that need to read this.
Great work as always!
There is another aspect to this “Big Data Net Phishing” business. Even if you have a minimal internet presence, and try as you might to keep your identity private, your identity appears in the contacts, comments, places visited, last names, etc. of your family, friends and acquaintences. For example, you might be able to guess my answer to “what is your mother’s maiden name” from the simple fact that the most common last name of the group of people who regularly use my email address, or even who have it in their contacts list, is “Jingleheimerschmidt”. Think about that. Even if you are very careful about maintaining security, in the world of big data, your clan might give bits of your identity away inadvertently just through their individual association with you.
“What was the first concert you saw?” is one of the secret questions on the Franchise Tax Board (California) website.
This exact topic came up in a discussion earlier today. I understand the reasoning; ask questions that only a handful of close people might know the answer to. That way we are protected in the area of not writing down our passwords. Yet this is evidently not the best choice.
Although I don’t respond to those posts on social media, I have absolutely answered the canned drop-down menu questions many times. However I did notice an organization I deal with took steps several months back to initiate a forced password reset. It supplied blank question and answer spaces. Whereas I initially thought that might be a good idea, I am certainly questioning it now.
I am new to cybersecurity. It is a mandatory class I am taking as a requirement for my concentration. It has been fascinating so far. Your blogs have been a great source of information as well. Especially for my beginner brain. Thanks for sharing!
AOL uses the concert one as an SQ, regardless it’s really dumb to answer these on a public SM account, but looking into the owner of the Good Old Days Facebook account would be a very interesting expose in its own
Dear Brian, I read the entire article and found it to be a good read with valuable information. I have found the comments on the article to be most entertaining. That’s the meat and veg right there. hahaha.
Holy crap! You really hit the nail on the head with your analysis. Doubt anything will come of it, though. Most of the users commenting on such posts are Facebook mums and teenagers for whom security is a non-issue.