Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.
I’m willing to bet that a good percentage of regular readers here would never respond — honestly or otherwise — to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks — particularly Facebook — seem positively overrun with these data-harvesting schemes. What’s more, I’m constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
Consider, for example, the following quiz posted to Facebook by San Benito Tire Pros, a tire and auto repair shop in California. It asks Facebook users, “What car did you learn to drive stick shift on?”
I hope this is painfully obvious, but for many people the answer will be the same as to the question, “What was the make and model of your first car?”, which is one of several “secret questions” most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password.
Probably the most well-known and common secret question, “what was the name of your first pet,” comes up in a number of Facebook quizzes that, incredibly, thousands of people answer willingly and (apparently) truthfully. When I saw this one I was reminded of this hilarious 2007 Daily Show interview wherein Jon Stewart has Microsoft co-founder Bill Gates on and tries to slyly ask him the name of his first pet.
Womenworking.com asked a variation on this same question of their huge Facebook following and received an impressive number of responses:
Here’s a great one from springchicken.co.uk, an e-commerce site in the United Kingdom. It asks users to publicly state the answer to yet another common secret question: “What street did you grow up on?”
This question, from the Facebook account of Rving.how — a site for owners of recreational vehicles — asks: “What was your first job?” How the answer to this question might possibly relate to RV camping is beyond me, but that didn’t stop people from responding.
The question, “What was your high school mascot” is another common secret question, and yet you can find this one floating around lots of Facebook profiles:
Among the most common secret questions is, “Where did you meet your spouse or partner?” Loads of people like to share this information online as well, it seems:
Here’s another gem from the Womenworking Facebook page. Who hasn’t had to use the next secret question at some point? Answering this truthfully — in a Facebook quiz or on your profile somewhere — is a bad idea.
Do you remember your first grade teacher’s name? Don’t worry, if you forget it after answering this question, Facebook will remember it for you:
I’ve never seen a “what was the first concert you ever saw” secret question, but it is unique as secret questions go and I wouldn’t be surprised if some companies use this one. “What is your favorite band?” is definitely a common secret question, however:
Giving away information about yourself, your likes and preferences, etc., can lead to all kinds of unexpected consequences. This practice may even help turn the tide of elections. Just take the ongoing scandal involving Cambridge Analytica, which reportedly collected data on more than 50 million Facebook users without their consent and then used this information to build behavioral models to target potential voters in various political campaigns.
I hope readers don’t interpret this story as KrebsOnSecurity endorsing secret questions as a valid form of authentication. In fact, I have railed against this practice for years, precisely because the answers often are so easily found using online services and social media profiles.
But if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully. Just make sure you have a method for remembering your phony answer, in case you forget the lie somewhere down the road.
Many thanks to RonM for assistance with this post.
Let’s also remember that you are under NO obligation to answer your secret questions honestly nor accurately. since you are providing the response, why not use the MSU technique (that’s Making Stuff Up). The only requirement is that YOU remember the response you provided.
Yes. In fact I use my password manager to generate randomized secure answers to these silly secret questions. For example:
Q. What was the name of your first pet?
A. s8dofU LS0alG
Then I can store those answers in the password manager in case I have to answer one.
Be careful, a savvy scammer will social engineer that by saying “Oh, just a random string of letters, it would be pointless to read it out.” …and apparently that works on the customer service reps who have to ask the security questions. Consider storing the answer in your crypto vault but using a couple words and then the gobbledygook. That way the service rep can think it odd that “you” didn’t say the real words.
That’s a good point but I would that the person on the other side doesn’t accept that answer. I prefer to give nonsensical answers or string together three random words.
If you have access to your password manager, why would you need to reset your password or access your account without your password by using your security questions?
There’s only one situation I’ve encountered where this might be useful and that’s with sites that, after you log in from a new computer, ask a security question to verify you’re you. Personally, I prefer getting a texted code for that verification.
My bank asks me my security questions at random when I log in, either because I log in from multiple devices or because their system is weird (the former is a fact, the latter I suspect). So yes, security questions might be relevant even when using a password manager.
This once led to a hilarious conversation when I had to call my bank. The teller asked me one of my security questions, I think it was “what’s the name of your first pet?” I was like “um…er…x3A!O*nkmFx6xu”. She was like “oh that’s an interesting name for a pet.”
“Yes it is, but we usually just call him X.”
You beat me to it Ollie – and the good thing is, that at least on my password vault, the information is encrypted, where probably at a lot of sites they don’t even bother – but at least at my end it is. The other good thing is if the site is hacked they got nothing but junk. To bad we can’t do the same with credit card details.
Like others that have posted, I Make Things Up (MTU) for each website then use my Password Manager to keep track of my answers for each site.
There is a saying, that ‘only the paranoid think that everyone is out to get them.’ But that was created long before the internet.
Why would I make things up? Anyway, did I ever tell you about my first dog “HeebaiKuareiMouc3Haa” He was something else. Once he went with me to my childhood doctor “eizeem9roow9ahchihai” and it turned out he was invisible, so was my doctor.
uuidgen is your friend. Good luck figuring out the name of my dog hahah.
I have once used the “remember pass” option of my bank, and it showed me secret questions, with 4 options to choose, one of which was mine and the others pregenerated. uuidgen wouldn’t be useful then, as it would be too obvious
That’s especially annoying to me; one of these presents a list of mailing addresses, one of which is mine. The bad thing is that I get ALL of my mail at a PO box; only one PO box is listed and the other addresses are comically obviously fictitious. The list is always of the form:
1) 1234 Harmony Lane
2) 5678 Main Street
3) 222 S Hudson Ave
4) PO Box 77651
Even if I used my street address, anyone would instantly know which one, since it would be the only one of the form common here in the northwest:
5) 12376 Barker St SW
I’ve seen the “what was the first concert you ever saw” secret question. I can’t recall where, though.
Verizon uses (or used to use) “What is the first live concert you attended?” as one of their security questions.
‘What was the first drug you’ve taken and where?’
It was Verizon. Thanks
Guess I just want to say, this doesn’t address the adults age 18-28 who had many of their first in a post facebook world. Who’s first car may have been posted as “first car” image somewhere at the time it happened.
Bingo! Joined it when it was brand new and only for college students. In my 30s now. I haven’t posted every single detail of my life, and my profile is private, but I imagine a savvy person could glean a lot of my answers to common security questions if they dived deep enough.
Pretty sure they showed this was wrong nearly ten years ago … https://www.technologyreview.com/s/413505/are-your-secret-questions-too-easily-answered/
yes, but that was before social media started mining them with questions, I think that is the point being made here. Stop answering the questions with real answers.
The fact that this is such a problem serves to indicate that management of social media sites are not aware of how their information can be used. This is only one example. Since the advent of social media, I have chosen not to participate in their data snarfing and emphasis upon the trivial.
Regards,
It’s not that management is unaware, it’s that they do not care.
Or pehaps they do care, but in a perverse way. Consider what knowing your first car might say about your upbringing, environment, attitudes, etc. Cambridge Analytica and other data miners will benefit from knowing such things as how you were raised, what your musical tastes might be, etc.
To them the security impact is merely collateral damage.
Exactly. If you’re not the customer, you’re the product.
Right with ya, Brian. I’ve been going on about this for years.
Online, I call my crusade Project: Manticore. When I see them on FB anymore, I use the word Manticore for all shared responses. “What’s your secret animal?” “Which general are you?” “What fairy creature represents you?” Manticore, mi amici. And I rain on a lot of parades, and hear constantly, “It’s just harmless fun.”
Sigh.
I use oatmeal a lot. Did you know it’s a type of car, as well as a color? 🙂
Just this morning I was wondering how difficult it would be to write an app that would automagically respond to social media quizzes with either random gibberish or perhaps the same answer for everyone. Point being to pollute the data stream severely enough that the utility is destroyed.
I used the corporate HQ of a company I got laid off from and made up a fairly thorough trail of data that leads back to them.
To this day I wonder how much postal mail they get in that name. The spam alone must be tremendous.
However I never use it for security on accounts that matter, just sites that force me to register before I can download software updates and the like. For sites that actually matter I tend to go for nonsensical answers that don’t match anything I’ve used before.
Great article.
Unfortunately, most Facebook users think this is just fun and will provide these details without second thought. Even when you explain and they understand but in few weeks, you’ll find they are sharing similar posts again!
Sad news is many organizations are still not providing options to use 2FA via sms or app (including several banks, universities)! When I reached out to couple of them, they just directed to their FAQs which basically says you are protected via secret questions!
So true.
I’ve given up trying to point this out to several of my older cousins, who are always reposting these quizzes on their walls.
Some of those questionnaire posts have big red WOT ratings on them. I warn my friends not to engage in any thing like that with a yellow or red rating at least – although I avoid all the them like the plague! (WOT = Web Of Trust)
There’s a reason W.C. Fields once said that a fool and his money were lucky to get together in the first place.
It’s not only about companies using Facebook to harvest such data, but it’s also facebook itself that does it.
https://dawidbalut.com/2018/03/10/here-is-how-social-medias-ruin-our-security-awareness-programs/
One of the benefits of having a twin who knows everything about you is that even 45 years ago, I lied to banks and mutual funds on their security questions. That was pre-internet and for phone transactions.
I never answered these questions with anything but obvious nonsense.
P.S. Yes I trust my twin. It’s the banks that I don’t trust with the truth.
Agreed Brian, many of us have been concerned about this type of stuff on social media for a while :
https://www.linkedin.com/pulse/20141113194008-20441078-all-you-data-are-belong-to-us
So, this was a Bad Idea?
http://www.markwelchblog.com/2012/05/01/email-forwarding-address-for-mark-welch/
Another great post from Krebs.
My ’64 Fairlane, 289V8 solid lifters, headers, my first stick shift, my first real love (sob!!)
Seems easier to make up answers for those extra security questions and never use your real name online than fib about life events.
But that’s just me. My security questions have randomly generated answers, as much as that is allowed.
After all, we all use password managers, right?
Facebook? Google? Insta-twit-something don’t know my real name directly, though I suppose an interested human could figure it out without much trouble.
Also.. avoid Focus Groups!
If you sign up for those Focus Group companies, you are bombarded with questionnaires to see if you are “eligible.” Lots of personal questions!
Somewhat off topic.
I think the Eagles (classic rock band) were somewhat prescient. They seem to have been referring to FaceBook in their song Hotel California.”You can check out any time you like… but you can never leave.”
When it comes to vehicles, I usually answer “a 1979 Password.”
Here is what I do when answering security questions.
Pick 3 or 4 random letters like “HXRK” to add to your security answers.
When a site asks for a security question, enter the real answer, but end it with your standard made-up letters.
Example:
Mother’s maiden name: SmithHXRK
First car: MustangHXRK
This way, you know the answer and other people won’t be able to figure it out by looking at your social history.
Until one of the passwords is revealed, and at this point your scheme is revealed, making it completely useless as a form of security. It’s security though obscurity, sorry.
They won’t be harvesting it from my facebook account. I am Facebook free since 2011.
Back in 1996 when we had hotmail accounts (before MSN took it over), I saw someone pull up a hotmail account called soccerboy and hit the forgot password button. The password question popped up and it was What is your favorite sport? He typed in soccer and the account opened. All four of us laughed hysterically that soccerboy chose a word that was so easy to guess. Of course I told those kids to stop doing that. :rollseyes:
I have read all the comments to date. Many excellent points and ideas.
I do not recall anyone addressing the Hit by a Bus scenario. If you are the one in your household who manages finances, subscriptions, online shopping, etc. , how will your household manage if you are hospitalized, disabled, or die?
Will you executor have access to the necessary accounts? What if your residence is destroyed in a fire or natural disaster?
As for password vaults like LastPass, do not assume that
a) your medical condition will allow you to remember the password to your password vault and
b) you will have access to the device(s) that have your password vault app or program.
I’ve set my LastPass Emergency Access up the same day I knew it existed.
I have read postings by individuals that suggest that people use digital Password Managers but then provide the master key to a trusted family member so after death that data can be retrieved.
I never answer those questions truthfully.
Since I already have a password manager open, I use the comments area to take notes and record my answers. Since they’re not truthful I would have a hard time recalling if needed.
First car: Edsel
First pet: Ricky
First manager: Lucy
Also, I use password generator to generate random string for username.
Why the heck are any of you even on facebook? Never had an account, and never will.
Sadly, security questions, challenge questions, passwordreset questins and whatever else you want to call them are entrenched in both online, telephone and in-person processes to authenticate people .. BAD IDEA. However my advice has been consistent on this certainly in the online works and that is to do one simple thing: LIE.
Your first pet may have been Fluffy, but use Rudy
Grew up on Elm Street, then use Green Avenue
Just make sure to be consistent so you don’t forget what you used and of course don’t then go around and tell everyone your answers.
Last thing, change your passwords today since you probably haven’t in a while. While you are fixing your security questions.’
Just closed a 40 year old Schwab Brokerage Account because I am not smart or patient enough to deal with their security At one time my account was Frozen. That was the end.
This includes birthday and birth place in your profile. Keep birth place generic if you really feel the need to share it (Southern California…. Georgia… etc.). For birthday, make yourself 100 years old and use a day that is not your real birthday, but close enough so you can feel good when folks send you nice messages (perhaps a week or so earlier…). Zero reasons to broadcast this info, and your real friends and family know the true info anyway.
The common advice is: don’t share passwords between sites and, as corollary, don’t share answers to secret questions between sites should be the obvious advice. But with this we have just doubled (or quadrupled, as some websites want you to give responses to 3 secret questions) the cognitive load on users.
Despite the headline, plenty of commenters are providing details around password question tactics right here…
Too many of my Facebook contacts think that any quiz they encounter on social media is harmless – “it’s only Facebook, it’s just a bit of fun”.
Here is how information from those quizzes can be used, even if the quiz is not trying to get you to divulge security-question answers.
“An ad agency exec who met with the company confirmed CubeYou said it mostly collects information through quizzes.”
https://www.cnbc.com/2018/04/08/cubeyou-cambridge-like-app-collected-data-on-millions-from-facebook.html