Slashdot Mirror

← Back to Stories (view on slashdot.org)

Don't Give Away Historic Details About Yourself (krebsonsecurity.com)

Posted by msmash on from the psa dept.

Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.

On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.

10 of 158 comments (clear)

  1. Social media by AHuxley · · Score: 4, Insightful

    Did what social media had to do to make a profit.
    The user is the product.

    Stop wanting to be that product.
    Turn off social media. Get a good VPN. Give your friends email. Use quality video chat. Join a forum, chat room on one topic.

    Social media uses that information to build a profile on you and your friends.
    What a person omits, fails to mention, lies about will be filled in by friends and family telling the truth. Data gaps are then not as privacy protecting as a state user expects.
    Stop using social media and the data-harvesting can be limited to each site and each area of interest.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re: Social media by monkeyzoo · · Score: 4, Insightful

      Favorite color?
      ch2zi656pf0u66ob089y0xu84

      Mother's maiden name?
      7zrhotbw9rx5ul6v029647371

      What city were you born in?
      su86wzr65u39h1z45f352q19u

      Yes, you probably shouldn't answer those questionnaires, but you shouldn't be answering "security questions" either!!! Good opsec has always been to use a randomly generated response and treat as a secondary password. (I.e., Store in your password safe.)

    2. Re:Social media by Bongo · · Score: 4, Insightful

      Why not just post that people should roll back the technology clock by 20 years? Or does that sound like a much harder sell?

      Perhaps, given all the risks people have to face in life, the principle of privacy just doesn't matter that much to people. We eat in restaurants (food cooked by strangers), we drive cars (roads crowded by strangers), and go to the hospital (operated on by strangers), so the idea that strangers know something about your personality, social status, and buying habits, etc. is really neither here nor there. So Facebook's mission to connect everyone... ... to an advertiser, political party, etc. is not high on people's lists of worries in life.

      The difficulty for IT people is that, it is a compromise, and so everyone has to pay lip service to the principle of protecting data, even though in practice, almost nobody cares. At least, not care in the sense of, you can get away with it so long as you don't happen to do something which can be sensationalised in a way that triggers people's emotions, which seems to be what happened here. Consequently, Facebook has to ban those companies, not because they were harvesting data (a feature, not a bug) but because they allowed the public to be spun a story about it in such a way that caused outrage. In other words, they allowed a stink to happen. THAT was their sin.

      We might think the problem was that a strict rule or policy was broken, ie. data was harvested, and so tighter controls should be used, like some technology problem, requiring a spec and a solution, but no, the actual problem is that a stink happened.

      Much of our modern society is built on trust, and that in itself has brought tremendous benefits -- this is a broad point, that you cannot live in a modern city and society if you do not approach hundreds of strangers you interact with, with a basic form of trust -- so we are not going to give up easily on that, because it has given us so much -- consequently, we will forgive and forget these abuses of trust.

      I think the particularly isolated geek mindset can forget this aspect, that humans "stupidly" trust each other... but there's a bunch of very good reasons for that pattern.

    3. Re:Social media by coofercat · · Score: 3, Insightful

      We also make sure the likes of doctors (who get to know an awful lot about you) are heavily regulated. Chefs aren't regulated as such, but they are bound by reputation somewhat, and in some places hygiene standards and whatnot.

      However, that a chef knows you like fish and chips isn't much by itself. Likewise, your doc knowing that your cholesterol is a bit high isn't a thing in itself. Likewise, your gym knowing you haven't visited in 18 months isn't much of a thing in itself. However, join all those things together and your life insurance premiums just went up.

      In the olden days this was done by gossip - people would pass snippets of knowledge between themselves and eventually a few people would piece together some facts about you. You'd then end up run out of town, or whatever.

      Ultimately: centralised knowledge about you is usually a bad thing for you. It might bring some benefits here and there, but mostly it's not a good thing (if not now, then in the future).

  2. Honestly? by pubwvj · · Score: 4, Insightful

    Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.

    1. Re:Honestly? by ColdWetDog · · Score: 3, Insightful

      This. Those 'security questions' are really just another password. I use random nonsense and put the results in my password manager. I'm a bit surprised that the various nefarious critters wandering about the bottom of the Internet would even bother at this level of trolling, but I guess you gotta make a living somehow.

      --
      Faster! Faster! Faster would be better!
    2. Re:Honestly? by alvinrod · · Score: 4, Insightful

      It's worse than another password. Most sites are at least smart enough to store a hash and some will go a little further and salt it to make extracting the real value more difficult. However, security questions are more likely to be stored in plain text (especially if you can give them over the phone to a CSR) and a lot of sites are going to allow you to reset a password with security questions.

      Under no circumstances should you ever use a correct answer for a security question and the answer you have should never be reused. Many sties have a predefined list of security questions and there's a lot of overlap between those lists. An attacker that gets one set of security questions can probably reuse them on other sites beyond the one they attacked.

  3. xyzzy by Orgasmatron · · Score: 4, Insightful

    Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...

    Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".

    There is absolutely no reason why any two sites or entities should have the same "secret", and none of those "secrets" should be things that your whole family and your entire school class knows. If you go to the "security" page of a site and it shows your answers to these questions, they are stored in plaintext and you absolutely positively must not use that same "secret" elsewhere.

    And if a secret can be used as a password (or worse - can reset a password) it needs to be at least as strong as your password and protected as well as your password. Scratch that, it should be protected even better than your password because it will probably never be expired or changed.

    --
    See that "Preview" button?
  4. Re:Birth announcements are the worst... by Anonymous Coward · · Score: 2, Insightful

    Wedding announcements are always good sources of maiden names.

  5. Only if you're doing it wrong by GrumpySteen · · Score: 3, Insightful

    Most secret questions can be looked up or guessed if you can read through people's social media accounts. The answers to the secret questions should be lies. Mother's maiden name? Rumpelstiltskin. Place of birth? Sunnydale Hellmouth. First pet? Epileptic sea cucumber.