Your Not-So-Secret Questions

Technology Review, published by MIT, has an article that is highlighting a personal crusade of mine. Your secret questions are not all that secret! I’ve said many times that most security questions are answered truthfully, and most of those are easily obtained or guessed. What town you grew up in, what high school you attended, what your pet’s name is are all probably either in public record or on your own profile page somewhere. Several chain-letter-type surveys that ask you to answer your teacher’s name and the street you grew up on in order to provide you with a “Rock Star” name are often a clever scam to get people to reveal the answers to these questions. From there, they only have to click on the “I forgot my password” link on email or websites to gain access to your accounts, profiles, identity and contact list. They may start contacting users in your address book, trying to scam money or personal information- creating a nightmare of fraudulent activity and impersonations to try to resolve.

Sarah Palin’s hacker gained access to her account in this way. As a public figure, much was on Wikipedia and other websites about her life which together provided the answers to her security questions. The lesson to learn here is that our LinkedIn profiles, business contacts and networking efforts may appear enticing to identity thief. Researches from Microsoft and Carnegie Mellon University show that the secret questions are typically insecure. “In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.”

More alarming:

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.

Remember, the easier it is for you to remember- the easier you make it for others to guess. The most secure method would be to create your own password for each security question, with special characters and number. However, realistically, most people will have to sacrifice a little security for convenience. I have always recommended coming up with your own secret question plan. When asked about your pet, give your best friend’s middle name. When asked about the town you grew up in, always answer with your shoe size and so on. This should cut down on the likelihood of a successful attack.