Slashdot Mirror
Don't Give Away Historic Details About Yourself (krebsonsecurity.com)
Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.
Did what social media had to do to make a profit.
The user is the product.
Stop wanting to be that product.
Turn off social media. Get a good VPN. Give your friends email. Use quality video chat. Join a forum, chat room on one topic.
Social media uses that information to build a profile on you and your friends.
What a person omits, fails to mention, lies about will be filled in by friends and family telling the truth. Data gaps are then not as privacy protecting as a state user expects.
Stop using social media and the data-harvesting can be limited to each site and each area of interest.
Domestic spying is now "Benign Information Gathering"
The ones that ask for the first three letters of where you were born and the last three letters of your mother's maiden name are particularly transparent.... It couldn't be any more obvious what the goals of these games are.
You may think it's safe because you aren't giving the entire info... but even that little bit makes it SO MUCH EASIER to narrow down possible results.
Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.
What was your first banking password?
What was your first government-issued identification number?
What was your first online handle that you used before you learned that the things you do and post on the internet can be traced back to you?
What was your first humiliating, deviant, or illegal thought?
What was your first felony that you got away with?
What was your first object you dry humped?
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
In one fell swoop, people give away birth hospital (city), weight, height, and name. Just add mother's maiden name (usually already there in FB) and hunt around for dog on their profile, and you've everything you need to file a social security number request before the kid is even 15 minutes old.
And yes, it has been done (though not using facebook-originated data).
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
Brian is usually pretty good for insight but this reads like a 'no shit' kind of observation he made to his in laws over dinner.
Even on sites that require info for registration I simply lie, always have. For info other than shipping address it's not relevant to whatever transaction we're undertaking so I see no reason to provide them with any valid info, for security questions it's easy enough to jot down actual security questions so I can remember the answer in the future (usually in keepass notes).
I do get a kick out of random websites wishing my honey pot gmail account happy birthday at random times of the year.
I had a Facebook account a while back simply for the random forums that required Facebook authentication for comments. About 2 years ago they nuked the account because they couldn't map it to a human being, which was kind of the point.
Use fake answers for security questions.
Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...
Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".
There is absolutely no reason why any two sites or entities should have the same "secret", and none of those "secrets" should be things that your whole family and your entire school class knows. If you go to the "security" page of a site and it shows your answers to these questions, they are stored in plaintext and you absolutely positively must not use that same "secret" elsewhere.
And if a secret can be used as a password (or worse - can reset a password) it needs to be at least as strong as your password and protected as well as your password. Scratch that, it should be protected even better than your password because it will probably never be expired or changed.
See that "Preview" button?
And the answer...
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
From the duh department
Take your first pet's name and the street you grew up on.
My porn name is "v2f2Xwsl Owg3lkIA", because fuck you for trying that.
Hmmm. I wonder what info they are harvesting..
first pet's name? scooby doo
birthdate? 1/1/1970
first phone number? 867-5309
first street address? 1313 mockingbird lane
favorite color? rainbow
favorite number? 42
oshit, now you can hack my account.
This is an actual set of questions I once got from my bank.
None of these Q/A pairs was information I provided to them.
Each question had 6 choices, with the last being "None of the above".
Only 2 of these questions were based on current information.
I redacted parts of 2 questions containing personal information.
1. In which of the following counties have you ever lived or owned property?
2. Which of the following street addresses in [city_I_once_lived_in] have you ever lived at or been associated with?
3. Which of the following corporations have you ever been associated with?
4. In which of the following housing complexes or communities have you ever lived or owned property?
5. Which of the following vehicles have you ever owned or leased?
6. When did you purchase the property at [my_current_address]?
You mean, um, don't give away information about yourself, like, uh, Slashdot Polls?
If I always select the CowboyNeal option, I'm safe, right?
Or do I need to #DeleteSlashdot?
I'm surprised these stupid little quizzes are still a thing. I thought it was amusing for a few minutes about 15 years ago, after that I decided I have better things to waste my time doing.
Most secret questions can be looked up or guessed if you can read through people's social media accounts. The answers to the secret questions should be lies. Mother's maiden name? Rumpelstiltskin. Place of birth? Sunnydale Hellmouth. First pet? Epileptic sea cucumber.
FIRSTLY NEVER FILL IN THAT SHIT, they aren't doing it just to reminisce. Secondly always make the answers to secret questions fake data but memorable to you as if you use the real information you are fucked once compromised by any one organisation that fails to secure it.
copy & paste... done id theft...
do yourself a favor tell your acquitances to stop being retards and delete facebook lol... they should have never started in the first place.
The whole concept was retarded from the start:
"Here ya go, have my balls, now squeeze in em".
Something has always baffled me about security questions being used to hijack someone else's account on whatever site.
Maybe my experience is different, but every time I've used a password reset form that required me to put in a security question answer... something else happens first. I get an email from the site, after requesting a password reset, to continue that reset I need to click a link in the email. After I do that, then it asks me a security question before continuing with the reset.
Now, here's my question... how the hell are people overcoming this? There needs to be a epic level of fail for this to be a viable backdoor. You need control of the email account in question, and you'd have to get that email'd link to continue the process. So what am I missing, how does the thief go from "I got the security question answers." to "I got control of the account." There's something missing from this.
Someone in a chat area of a site with start a survey. One popular one is: "What would be your porn star name?" Take the maiden name of your mother, and put it after the name of the city you were born. As in Topeka Smith.
Surprised that a lot of people will add an answer.
If I can't find out what kind of fruit someone is, how am I supposed to defend myself against them?
I was pissed when my mother in law came home with a book for my baby son, all customized with his birthdate, full name mom and dads name... They print them in China.
Nullius in verba
This entire concept of using questions to protect financial access is beyond retarded. A few months ago I was denied access to one of my credit cards because I couldn't name the city my estranged sister was living in. I think we're finally past the mother's maiden name (since you can pretty much search marriage records for 40+ years now). Maybe it's finally time to allow our phones to digitally sign the call itself or use a private certificates for authentication that use a hardware key inside our devices?
Or better yet, use NFC or card readers on phones and tablets so we can authenticate with a PIN we change frequently?
I dunno, considering everyone's credit file is leaked somewhere I wouldn't think any question with a static answer is appropriate anymore.
Or what "star" were you and other so called games. The so called innocent answers, build profiles of you. People don't get it. NOTHING online is free...
Combine the name of your first pet with the name of the street you grew up on, be amused by the result, post it all over the internet (and encourage others to do the same.)
I confess it took me a while to notice that these posts were gold for identity thieves. If this meme was invented by an identity thief, I am in awe of their brilliance.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Which begs the question, "Why do bank and financial sites still use questions like 'Mother's Maiden Name' when Ancestry.com probably knows that, even if YOU never filled in an online genealogy?"
Suggestion: Answer all such questions with the same answer, one irrelevant to the question. "Mother's Maideb Name"? "Blue" First car"? Blue. first pet? "Blue".
My answer to all of those types of questions is always "Cowboy Neal"
We need to stop having bad security questions. http://www.geekswithblogs.net/...
my karma will be here long after I'm gone
That's what they are really. Not case sensitive but gotta type in the same characters. Also, zero chance I'm going to give out really "inside baseball" information about myself.
I'm pretty sure this is how Sarah Palin's yahoo email account got compromised.
I had a sucky sig.
as answers to "security questions" are a must. Too much information is available even without these questionnaires.
2-factor security is just as bad. They want your phone number to link your account with your real identity. Most people don't use burner phones. Most people have their phone number linked to their name (and perhaps birthday, address, picture) in other people's address books. Address books which are routinely scanned by random, popular and unpopular apps.
Post your SSN here for a expert analysis into your true nature.
My UID is prime!
Hey, let's play a fun game! Answer these questions and see your score:
1. What is your mother's maiden name?
2. What is your first pet's name?
3. What street did you grow up on?
4. What are the last 4 digits of your social security number?
...
J
Comment removed based on user account deletion
My default answers are generally FU, or some variation of FU.
Further, when asked by people for any personal info, I always ask for their info, even if I'm dealing with a bank etc.
Just tell them you need their info for security purposes, and that you are recording things for quality control.
or better not don't use any social media platform
While the idea of obfuscation-as-security has been around a long time, given the pervasive lack of data privacy, relax a little and have some fun with it. Large-scale data mining for profit and massive security breaches pretty much leave everyone who uses the internet wide-open to exploitation, so we might as well make a game of it.
I have four "identities" I use for various purposes, all fictitious to one extent of another. I feed them so much bullshit and chaff that pretty much any "profile" on me comes off as straight out of Lewis Carroll. The Mad Geezer meets the Cheshire Hacker.
Be creative. It's fun. Whole books could be written about ways to load up any given profile with conflicting and contradictory information.
You know it's working when you see ads for running shoes and wheelchairs at the same time.
Scruting the inscrutable for over 50 years.
Quite frankly. We keep telling people to use 20 character passwords with numbers and special characters and preferably even characters that can't be typed with a latin keyboard... and then we let them recover that password if lost with the answer for the name of their pet dog they had as a child.
Are you fuckin' serious?
This is from a security standpoint even worse than them using that pooch's name as the friggin' password. Because then a potential attacker would at least not know that the key to the account is the pooch's name.
Who came up with this bullshit? And how is it that even admins don't see that the password and the answer to the security question are in essence the same: A way to gain access to the account.
Every time I see these questions, I question the sanity of such a company's security setup. And it also creates a problem for me, because my password safe only stores one password per account sensibly. So where am I supposed to store that the name of my elementary teacher was qSwHbW66xkwp4A9gXK2A?
Yes, she was an alien. Ask any of my classmates.
But what REALLY gets my piss to a boil is those incredibly stupid sites that don't even ALLOW you to do this because "that does not look like a real name". Are you fucking kidding me? You deliberately disallow me to make my account secure.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When answering those types of "Secret Questions" at sites you actually use and want security, don;t give the "real" answer.
They ask "Model of first car?", you answer "R3dw!n@$"
etc
Mother's maiden name? 0129834765
etc
Who gives actual true answers to those security questions anyway?
In which case who cares if some equally stupid online survey does get real answers. To things that are usually trivially findable anyway - it's not like I keep what my first car was secret. My parents are divorced, my mother's maiden name isn't exactly rocket science to find out and I don't think she's so ashamed of me as to keep her mother status secret...
The idea of security questions is in case you forget your password. So, if you lie on the answer, you risk forgetting that too. So I make a mix of truth and falsehood. Favorite pet? True answer is, I don't have one. I "borrow" someones, that person isn't on the internet, and that person's pet died before most of you were born. Spouse questions? Not married, my GF isn't on Facebook, and since I only refer to her as "My GF", it won't be easy for anyone who doesn't know me IRL to get info on her.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
but I've stopped playing those games (or quizzes, whatever) on FB and elsewhere not because of this, but because I 0) don't feel like being part of the thousands who think they are engaged in a relationship-building experience with strangers and 1) my family and friends aren't sending me an invite, they just clicked something, possibly bey accident.
And now I lie on my security questions.
deleting the extra space after periods so i can stay relevant, yeah.
42
Q: "Who was your first-Grade teacher?"
A: "Silica"
These should be stored securely physically and logically.
The executor should have a copy available for when you die.
Every time I see a thread on a forum or elsewhere asking questions like this, I can't help but think "Are they tying this info to IP in an attempt to identify me?"
I've been lying about myself on the internet since the internet became a thing. I know it's working because at my current age (early thirties) I started getting literature in the mail about signing up for AARP (requires you to be 55+). So, unfortunately they correlated my real address to my fake age information, but at least it's slightly obfuscated and they have a harder time drawing a bead on who I really am.
I think the better advice is, don't answer security questions truthfully.
Questions like "Where did you go to high school?", "What was your mother's maiden name?", "What city were you born in?", etc. aren't hard to find out with an internet search, or just to guess. Hell, depending on your age, you may even still own your first car, in which case somebody who knows your address could simply plug it into Google Street View and see it parked in your driveway.
If a site wants you to set a security question, don't.
If a site forces you to set a security question, lie, and keep a record (ideally in a password locker -- which, yes, probably defeats the entire purpose of having a security question in the first place) of what lie you used. A "correct-horse-battery-staple"-style password is good for this purpose, in case you have to answer a security question over the phone.
A good point for potential disaster scenarios. Honestly, it caused me to reflect, and I was reassured by the following:
1) In my experience, my bank(s) use a different authentication process on the phone. They don't use my online security questions. I guess that definitely could be different for other people. (I actually would prefer they had stronger phone auth, but oh well.)
2) I suppose it's a tradeoff between guarding against the rather more likely event of a phishing/bruteforce/etc online attack that could result in extremeley inconvenient financial consequences versus a (thankfully) very rare life disaster scenario. In the latter, I'm also inclined to believe I will be able to leverage other resources to assist. For example, why not have the above mentioned friend just send some money *for you* to the hotel until you can get to a computer and pay him back? I'm fairly optimistic that if I have been the victim of a crime or disaster, I will likely be able to get the assistance of authorities to access my financial resources.
3) I have layers of disaster recovery such that I should never be theoretically too far from full access to my passwords. Even if I lost my phone, my PC, and any other mechanism to access to my encrypted cloud backups, there are a few key passwords that I have committed to memory (diceware style). If I can find a device I trust enough, then with one memorized password I can access a publicly hosted but encrypted one time use 2FA token for Google. With this and a memorized password for Google, I can access Google Drive where I have a copy of my password safe data file. My password safe software is open source and I can download and use it on an Android, Mac, or Windows device. With a final memorized password I now have access to ***all my passwords, security questions, account numbers, PIN's, etc.*** again.
if somone pretends to be my alias on some random wordpress forum, who cares?
Someone might post something politically incorrect under your name in order to tarnish your reputation. It's called a joe job.
why the hell do I have or need an account at Office Depot? scifi.com? Excite? Hallmark???
Excite at least used to be an email provider. Syfy (formerly Sci-Fi Channel) is a provider of video programming to multichannel pay TV, and you need an account to verify that you subscribe to Syfy through a participating multichannel pay TV provider. You may have ordered some office supplies from Office Depot and allowed the site to store your shipping address in case you reorder them later.
This man assisted me in hacking my CHEATING HUSBAND Facebook account and he is a very good hacker for services like :WhatsApp, call logs, test messages etc. He delivers in 2hrs or less you can contact him via:
Email: E N R I Q U E H A C K D E M O N 11 ( a t ) G M A I L d o t C O M.
WhatsApp: + 1 ( 6 2 8 ) 2 0 3 - 7 0 0 5
Text/Call: + 1 ( 4 0 9 ) 9 9 9 - 3 4 7 7 .He might ask for who referred you to him say MONIQUE.
Comment removed based on user account deletion