Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.
I’m willing to bet that a good percentage of regular readers here would never respond — honestly or otherwise — to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks — particularly Facebook — seem positively overrun with these data-harvesting schemes. What’s more, I’m constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
Consider, for example, the following quiz posted to Facebook by San Benito Tire Pros, a tire and auto repair shop in California. It asks Facebook users, “What car did you learn to drive stick shift on?”
I hope this is painfully obvious, but for many people the answer will be the same as to the question, “What was the make and model of your first car?”, which is one of several “secret questions” most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password.
This simple one-question quiz has been shared more than 250 times on Facebook since it was posted a week ago. Thousands of Facebook users responded in earnest, and in so doing linked their profile to the answer.
Probably the most well-known and common secret question, “what was the name of your first pet,” comes up in a number of Facebook quizzes that, incredibly, thousands of people answer willingly and (apparently) truthfully. When I saw this one I was reminded of this hilarious 2007 Daily Show interview wherein Jon Stewart has Microsoft co-founder Bill Gates on and tries to slyly ask him the name of his first pet.
Almost 5,000 Facebook users answered this common password reset secret question.
Womenworking.com asked a variation on this same question of their huge Facebook following and received an impressive number of responses:
Here’s a great one from springchicken.co.uk, an e-commerce site in the United Kingdom. It asks users to publicly state the answer to yet another common secret question: “What street did you grow up on?”
More than 500 Facebook users have shared this quiz with their network, and hundreds more shared the answer using their real names and links to their profiles.
This question, from the Facebook account of Rving.how — a site for owners of recreational vehicles — asks: “What was your first job?” How the answer to this question might possibly relate to RV camping is beyond me, but that didn’t stop people from responding.
The question, “What was your high school mascot” is another common secret question, and yet you can find this one floating around lots of Facebook profiles:
Among the most common secret questions is, “Where did you meet your spouse or partner?” Loads of people like to share this information online as well, it seems:
This common secret question has been shared on Facebook almost 10,000 times and has garnered more than 2,300 responses.
Here’s another gem from the Womenworking Facebook page. Who hasn’t had to use the next secret question at some point? Answering this truthfully — in a Facebook quiz or on your profile somewhere — is a bad idea.
Incredibly, 6,800 Facebook users answered this question.
Do you remember your first grade teacher’s name? Don’t worry, if you forget it after answering this question, Facebook will remember it for you:
I’ve never seen a “what was the first concert you ever saw” secret question, but it is unique as secret questions go and I wouldn’t be surprised if some companies use this one. “What is your favorite band?” is definitely a common secret question, however:
Giving away information about yourself, your likes and preferences, etc., can lead to all kinds of unexpected consequences. This practice may even help turn the tide of elections. Just take the ongoing scandal involving Cambridge Analytica, which reportedly collected data on more than 50 million Facebook users without their consent and then used this information to build behavioral models to target potential voters in various political campaigns.
I hope readers don’t interpret this story as KrebsOnSecurity endorsing secret questions as a valid form of authentication. In fact, I have railed against this practice for years, precisely because the answers often are so easily found using online services and social media profiles.
But if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully. Just make sure you have a method for remembering your phony answer, in case you forget the lie somewhere down the road.
Many thanks to RonM for assistance with this post.
Hi there, thanks for all the great advice. I have had a bank’s security question list have What was your first concert. I remember, because it was one that I chose, because I knew that almost no one would know, including the ex-husband. That question is out there as a security question!
Great point that exes (or even people currently involved in your life) also knowing the answers to these questions a lot of the time.
Thanks for the great work Brian!
I hate the “secret questions”. I think it is appropriate to treat the answer to all such authentication systems as if it is a password. So I use a random string for each answer and save that and the question in a protected file.
That’s fine until you need to read it to someone over the phone.
I try and pick non-sequitor answers. For example, for the “high school mascot” question, any sort of animal would be plausible. But a food object, or the name of some distant small city would not.
Don’t be too certain of that. For example, New Berlin, IL is the proud home of the “Pretzels.”
Same for Freeport, IL.
I never answer questions like this on entertainment websites because it always seemed kind of shady to me. As far is answering the questions on a real website like my bank, I will usually name my male relatives something white and Southern like Bubba or Butch precisely because we aren’t white or Southern. At least one security setup has asked for my paternal grandfather’s middle name, and his real middle name was something ethnic and very specific. So I feel like this also protects me against real-life identity thieves who could find the real answer to that question if they knew enough about me or where to look for the information.
I also never use my real pets names as answers to security questions, because I do post pictures of my cats and share their names on a few Facebook pet groups. So I make a point of using friends’ dead pets as my pet’s name for security questions and I might even put the word “dead” in the pet’s name. As in “DeadRufus” or “Rufusthedeaddog.”
I’ve heard that some people put nonsense answers in for the security questions. I mean, why not use a randomized password there?
+1 to JPA, all of my “security questions” are generated strings. I had one banking site that allowed you to make up your own security questions, so my questions were “one? two? three?”, and it was just a numbered list of strings.
AFAIK, All of this started because the US banking industry convinced regulators that “security questions” were an implementation of 2-factor auth.
That works brilliantly, until some genius decides to set a question ‘what is the password’, and the answer is the password that he’s already forgotten and needs to use the security question to re-set!
I treat “secret” questions the same as any password. I provide a strong, randomized string to it and save it in a password vault.
I answer truthfully any quizz
Because I lie at security questions (with nonsensical answers, which are kept in a password manager).
It is looking like FB is the biggest “roach motel” on the internet. Your data checks it but never checks out.
Your birthday! Don’t advertise your birthday on social media. How often are you asked for that by your bank or your credit card issuer. It’s also pretty much the only piece of personal information you cannot change – you are stuck with it for life and beyond.
Geneology websites show lots of birthdays.
oh yeah.. epic questions and answers, I still remember a ‘free’ email site that even asked questions like “what is the color of your car” was piece of cake to gain access to some accounts just for fun….
All my secret answers are lies.
I’ve done you one better. Not only are all of my answers lies (like my brother being born in the 1600’s), but on the ones that allow you to create question/answer pairs, my questions look like this:
Sx$3bE2pq0^3&g4)
and the answers probably look like this:
$^P4GKxZF2&)2)1hL5j(
That is the same formula I use password manager takes care of the rest
People need to STOP using Facebook immediately.
Along with Google search and Chrome. I now use Firefox and DuckDuckGo in the hope of reducing companies using my searches for marketing and other purposes.
DuckDuckGo works fine on Chrome too; and it even speeds the browser up – unfortunately it blocks ads on sites that I want to support like Krebs on Security! I haven’t found an exclusion list on it anywhere.
Why, because you don’t have friends around the world you like to keep it touch with?
I’ll keep my FB account. A little common sense, and tech understanding and it’s just fine.
I’m more concerned about the crap in food than my fb account hurting me.
I actually have fun with the secret questions. My first car is always something outlandish, like “Flintstones Car”.
First Jobs have included “Pimp”, “Contract Assassin”, and “Free-lance Fehdreyer”.
Even funnier are the ones that want your title and employer to register. I had fun with that well over a decade ago, and STILL get a mailing addressed to me as the Grand Imperial Poobah, at the Loyal Order of Water Buffalo. Even got calls asking for that. . .
Couldn’t see the Jon Stewart interview with Bill Gates in the usual way – got the message: The video is not available from your location (which is Europe). Could only see it using Opera’s VPN – but then it stopped every few seconds before continuing…
Thanks anyway!
I, too, use randomized strings for answers to security questions. Have been for years. They are generated and stored in the same password manager as the rest of my hundreds of passwords (1password for a long time, now Enpass). When I have to create my own question, it’s something like “40 character randomly generated string?” so if anyone ever does come across it, all they will be able to do is sigh and move on.
That’s so courteous to hackers!
I’m constantly amazed by the number of sites, even financial institutions that ignore NIST recommendations (why don’t US companies follow US guidelines?).
From NIST SP800-63b (published June 2017):
Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets
Of course, it also tells people not to restrict password length unduly, restrict character set, or specify content (must contain a digit …) but it seems nobody is yet listening as many of my near-random passwords are rejected as not being compliant?! (don’t even get me started about forced password expiration without a security breach!)
Until they become compliant, take Jim Olson’s advice above and lie, ideally just make up nonsense responses that don’t match the question.
What is your favourite colour? elephant-brew
(apologies if you don’t get the name reference, it’s a gag from a UK sitcom called Dad’s Army 🙂
“Good Old Days”, “Auntie Acid”, “RV Camping”, “SpringChicken”? These all sound like FB pages that would have an older user base. Sounds like some pretty well-planned, targeted fishing to me.
David, those names make me think the accounts are owned by scammers or data collectors and they are targeting older facebook users. Because who else want that information?
Older users would be less technologically aware, and easier to dupe.
Most every password manager (mine’s Lastpass) has a ‘Remarks’ section on every password record. I use the password generation routine in the manager to create a random password to answer each question, then copy/paste the question and answer in the remarks.
Lucky thing for me I use KeePass to generate dog names. Though it does take a while to get them to answer to xgHpaR9OpfaH
I get it. I never participated in such surveys and I recommend the same to my friends. So, how does the other side of this work? Can you cite examples of a database connecting these answers and other bits of information gathered from various sources? This seems like a massive undertaking with a low success rate.
I’m sorry Brian, but for once I think you’re barking up the wrong tree. This kind of information is not, have never, and will never be secret. Obviously even less with the social media craze.
The problem is that banks and others treat these things as secret, when they are not.
Same goes for social security numbers, which can at best be considered an identifier – never a secret.
Sure. And you can probably leave the doors to your house and car unlocked if you live in a nice neighborhood. Do you though?
What is your point? The problem is that the banks etc force you to use a weak lock, where the key is easily stored on social media, because they base their “security” on non-secure information. YOU don’t have a choice because others made a bad design decision.
You have a choice to find a new bank. My bank supplied me with a Verisign 2FA token generator.
I would rather see a PSA that states, don’t answer secret questions with facts. Make up your own answer… so that a twin wouldn’t be able to guess it. It doesn’t even have to be spelled correctly, or be a word.. like a pattern.
As long as you don’t use dates like 14 Oct 1066 or 6 Aug 1945, you should be fine.
As a woman I’m most disturbed by the workingwoman questions. What is that account? Is that a legitimate organization concerned with issues related to working? If it were I doubt they’d be asking about pets or movies. I don’t do facebook or twitter or any other social media. I don’t post comments on site that require me to create an account. I reluctantly have accounts with my bank, credit card providers, utilities, and other necessities. I’m shocked by how freely some people share their personal information and don’t for a moment think “might this be used against me?” or “are the data collectors going to profit from my information?” I wish I could be offline 24×7. I’m old enough to remember days when we didn’t have computers in the home, or cell phones. Let me tell you, we do NOT have it better today.
Excellent, as always.
I shared this one in hope that, with someone else’s point of view, my contacts start listening to this message…
I personally started using strictly false statements these secret questions a long time ago, so these “tests” would not effects my accounts.
Define a set of answers and keep at it.
Rule #1 of security questions is never give legitimate answers. Just like you have a password for every site, use an electronic wallet and have security questions for every site.
Only give real answers where you absolutely have to (eg: a paper application for a marriage license).
“But if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully.”
But (for banks)
Some Q’s link back to bank’s anti-fraud processes and for instance lying about your date of birth or place of birth could get your account blocked when it “fails fraud checks”.
Conclusions:
– Security Qs are not!
– Talk frankly to your bank about which Qs have to be answered honestly and whether the format of the answer (e.g. dd/mm/yy rather than D d MMMM yyyy) can be part of the “security”.
I’ve only encountered the need to provide legitimate answers to real identity questions when it comes to resetting my forgotten password on a credit card company or banking website.
Regarding someone else’s comments, I also greatly resent and am highly annoyed by the way some websites demand that I reset my password on a regular basis and then the system rejects my new chosen password as insufficient due to security concerns. Many of my chosen passwords in this case involve the use of the ”c-word” in capital letters somewhere in the middle of the password.
There was one website – can’t remember which, where they had a hardcoded list of questions you could choose from, but they also had a hardcoded set of answers that you had to choose from. You could not just pick some random answer – you had to pick from *their* list.
I just shake my head some days. Come to think of it, make that nearly every day.
Worst I encountered was a site that rejected my password because it contained profanity!
That was so egregious that I wrote a nastygram to their CISO pointing out that they should not be able to tell what my password contained.
IIRC it was the USPS site. Haven’t been back there recently to see if it’s still so badly broken.
Very interesting. I deleted my facebook (most social media) a long time ago so, I have not seen this kind of secret question propagation but man, what an efficent way to make a good dictionary.
I prefer to give them fake answers. Imagine anyone and everyone poisoning these data sets as they’re created.