Slashdot Mirror

← Back to Stories (view on slashdot.org)

Don't Give Away Historic Details About Yourself (krebsonsecurity.com)

Posted by msmash on from the psa dept.

Brian Krebs: Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as "What was your first job," or "What was your first car?" The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to "secret questions" that can be used to unlock access to a host of your online identities and accounts. I'm willing to bet that a good percentage of regular readers here would never respond -- honestly or otherwise -- to such questionnaires (except perhaps to chide others for responding). But I thought it was worth mentioning because certain social networks -- particularly Facebook -- seem positively overrun with these data-harvesting schemes. What's more, I'm constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same.

On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals. Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.

10 of 158 comments (clear)

  1. Social media by AHuxley · · Score: 4, Insightful

    Did what social media had to do to make a profit.
    The user is the product.

    Stop wanting to be that product.
    Turn off social media. Get a good VPN. Give your friends email. Use quality video chat. Join a forum, chat room on one topic.

    Social media uses that information to build a profile on you and your friends.
    What a person omits, fails to mention, lies about will be filled in by friends and family telling the truth. Data gaps are then not as privacy protecting as a state user expects.
    Stop using social media and the data-harvesting can be limited to each site and each area of interest.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re: Social media by monkeyzoo · · Score: 4, Insightful

      Favorite color?
      ch2zi656pf0u66ob089y0xu84

      Mother's maiden name?
      7zrhotbw9rx5ul6v029647371

      What city were you born in?
      su86wzr65u39h1z45f352q19u

      Yes, you probably shouldn't answer those questionnaires, but you shouldn't be answering "security questions" either!!! Good opsec has always been to use a randomly generated response and treat as a secondary password. (I.e., Store in your password safe.)

    2. Re:Social media by Bongo · · Score: 4, Insightful

      Why not just post that people should roll back the technology clock by 20 years? Or does that sound like a much harder sell?

      Perhaps, given all the risks people have to face in life, the principle of privacy just doesn't matter that much to people. We eat in restaurants (food cooked by strangers), we drive cars (roads crowded by strangers), and go to the hospital (operated on by strangers), so the idea that strangers know something about your personality, social status, and buying habits, etc. is really neither here nor there. So Facebook's mission to connect everyone... ... to an advertiser, political party, etc. is not high on people's lists of worries in life.

      The difficulty for IT people is that, it is a compromise, and so everyone has to pay lip service to the principle of protecting data, even though in practice, almost nobody cares. At least, not care in the sense of, you can get away with it so long as you don't happen to do something which can be sensationalised in a way that triggers people's emotions, which seems to be what happened here. Consequently, Facebook has to ban those companies, not because they were harvesting data (a feature, not a bug) but because they allowed the public to be spun a story about it in such a way that caused outrage. In other words, they allowed a stink to happen. THAT was their sin.

      We might think the problem was that a strict rule or policy was broken, ie. data was harvested, and so tighter controls should be used, like some technology problem, requiring a spec and a solution, but no, the actual problem is that a stink happened.

      Much of our modern society is built on trust, and that in itself has brought tremendous benefits -- this is a broad point, that you cannot live in a modern city and society if you do not approach hundreds of strangers you interact with, with a basic form of trust -- so we are not going to give up easily on that, because it has given us so much -- consequently, we will forgive and forget these abuses of trust.

      I think the particularly isolated geek mindset can forget this aspect, that humans "stupidly" trust each other... but there's a bunch of very good reasons for that pattern.

  2. Honestly? by pubwvj · · Score: 4, Insightful

    Honestly, I don't even tell the bank the real answers to these dumb questions. The reason is quite simple: someone could research and find the answers. Far better to just make up a set of answers to these sorts of things. Even multiple sets for different institutions. That's what I do. They have no business knowing details and they have proven they can't keep secrets.

    1. Re:Honestly? by CrimsonAvenger · · Score: 5, Informative

      Honestly, I don't even tell the bank the real answers to these dumb questions.

      This. The comment field in PasswordSafe is a wonderful place to store the made-up answers to those questions....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    2. Re:Honestly? by alvinrod · · Score: 4, Insightful

      It's worse than another password. Most sites are at least smart enough to store a hash and some will go a little further and salt it to make extracting the real value more difficult. However, security questions are more likely to be stored in plain text (especially if you can give them over the phone to a CSR) and a lot of sites are going to allow you to reset a password with security questions.

      Under no circumstances should you ever use a correct answer for a security question and the answer you have should never be reused. Many sties have a predefined list of security questions and there's a lot of overlap between those lists. An attacker that gets one set of security questions can probably reuse them on other sites beyond the one they attacked.

  3. Alternative Questionnaires by mentil · · Score: 4, Funny

    What was your first banking password?
    What was your first government-issued identification number?
    What was your first online handle that you used before you learned that the things you do and post on the internet can be traced back to you?
    What was your first humiliating, deviant, or illegal thought?
    What was your first felony that you got away with?
    What was your first object you dry humped?

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  4. Birth announcements are the worst... by acroyear · · Score: 4, Interesting

    In one fell swoop, people give away birth hospital (city), weight, height, and name. Just add mother's maiden name (usually already there in FB) and hunt around for dog on their profile, and you've everything you need to file a social security number request before the kid is even 15 minutes old.

    And yes, it has been done (though not using facebook-originated data).

    --
    "But remember, most lynch mobs aren't this nice." (H.Simpson)
    -- Joe
  5. xyzzy by Orgasmatron · · Score: 4, Insightful

    Even better idea, in addition to not giving away your data, why not also practice good operational security habits? Pick secure answers to those retarded questions. You are storing your password in an encrypted password safe, right? Add some more fields...

    Site X thinks my first car was a "eterverinkipen43", but site Y thinks it was a "trocklencaterm39". Some people think my mother's maiden name was "metablersilippe8", but others think it is "glytenclegratio3".

    There is absolutely no reason why any two sites or entities should have the same "secret", and none of those "secrets" should be things that your whole family and your entire school class knows. If you go to the "security" page of a site and it shows your answers to these questions, they are stored in plaintext and you absolutely positively must not use that same "secret" elsewhere.

    And if a secret can be used as a password (or worse - can reset a password) it needs to be at least as strong as your password and protected as well as your password. Scratch that, it should be protected even better than your password because it will probably never be expired or changed.

    --
    See that "Preview" button?
  6. not just online by bugs2squash · · Score: 4, Interesting

    I was pissed when my mother in law came home with a book for my baby son, all customized with his birthdate, full name mom and dads name... They print them in China.

    --
    Nullius in verba