02/13/2013

Do you want to know a secret?

Do you want to know a secret? Social engineering

Of course, one of the tips was about choosing strong and unique passwords for your online accounts. But this tip in itself is worthless, if it is not combined with the tip ‘Don’t publish too much information about yourself on the Internet’. Most people think the combination of these tips is about the ability to guess passwords with the personal information. For instance: my password is the name of my pet rabbit. On Facebook, I have a picture of my rabbit, accompanied by its name. But I choose to believe people nowadays come up with stronger passwords than that. And if that is a naive thought, please allow me to keep living in my fantasy land. No, the real issue in my opinion is the issue regarding secret questions.

When creating some online accounts, you are asked to answer certain questions. These are so called secret questions. Not very long ago this happened to me when I was creating an online account for checking my credit card spending. I was asked to provide a lot of information to create this account. I was also prompted to enter a strong password, which is a good thing for a service which holds this much personal and financial data.
Luckily I have a little helper for creating strong, unique passwords, so I was convinced by the security of my new password. I was not very worried about losing or forgetting my password, because I have a trick up my sleeve for that as well, but I won’t tell you about that here. But this particular site was not as convinced as I was, so I was forced to answer the secret questions.
There were four questions. I don’t remember all of them, but I do know that the answers to all four questions could be found on the internet after some detective work. I remember the first secret question: What is the name of your first school? Well, it turns out I was part of a Facebook group of my elementary school, so that one was easy to find.*

I also remember the second question: the maiden name of my mother. This one can also be easily found if you are connected to your mother on Facebook and you have confirmed your family relation with her. Many mothers are on Facebook in the hopes of rekindling friendships from their youth, so they oftentimes mention their maiden name somewhere on their profile. Score!

But even if life is not so easy on the attentive cyber criminal, he can still be successful. For instance: your mother is on Facebook, but you have obstinately denied her friend request, so you two are not connected. All of a sudden, your sister in law decides to post a picture from last year’s Christmas dinner, entitled ‘Christmas with the family’. Everyone in the picture has been tagged by your sister-in-law. The only older lady in the picture is surely your mother.

Another example: your mother is indicated as your mother on Facebook, but she does not mention her maiden name anywhere. But, she is connected to her brother, whose last name is, most probably, her maiden name. Or she is connected to his daughters, who indicate her as ‘Auntie So-and-So’ in a post. Of course these girls also have her maiden name as their last name.

To make a long story short: the secret answers to the secret questions are rarely a secret. And that makes the strongest password in the world worthless, because: it is easy to circumvent. You might argue that some internet services do not allow re-setting the password immediately after answering the secret question, but rather send an e-mail with a password-reset-verification link to the user. I agree. But hey, whoever is able to “hack” one account, might also hack a second. And depending on the order in which the attacker hacks the accounts, an email with a verification link is no obstacle at all.

To avoid these problems, I see only three possible solutions.
The first one: delete your Facebook account. Because even if you are very sensible in the amount of information you post, you have no control over what your friends and family post and tag online.

Another option: lie. Only when you give false information, it will be impossible for cybercriminals to find the answers and crack the security. Consequently, you need to be 100% sure you won’t ever lose or forget you password (or the note you keep with the false answers you have given on it), or you will be in trouble...

And finally, option three: no matter how complex your password is or how fictitious your secret answer is – in case your computer is infected with spyware, none of these measures saves you. Therefore, the combination of common sense and a comprehensive AV security solution is essential.


*In the meantime I have withdrawn from the Facebook group. Nothing really happened in the group anyway.