Wednesday, September 12, 2012

Ask Me Some Questions and I'll Tell You Some Lies

Would you believe me if I told you that using technology today is about as easy as striking a match to start a fire? And, would you believe me if I told you that technology and fire could be equally difficult to manage if you weren't taking proper safety precautions? Technology is not unlike lighting a match to start a fire. With technology there is a disparity between ease of use and, taking appropriate security measures. People tend to choose ease of use over being careful. So, providers of services have to find a balance between making it easy to use and protecting the end user. One of the ways they attempt to do this is through asking a series of security questions which must be correctly answered in order to prove you are who you say you are.

Security questions, though not strictly enforced, have been used to secure medical and financial information when making in person or telephone inquires. Being asked a specific question, and then providing the correct answer, allowed you access to the information you sought when your identity could not be otherwise confirmed. Online accounts continue to use the same methodology in trying to confirm a user's identity. If you get locked out of an account and correctly provide the answers to your security questions you will be granted access.

Since the early days of security questions, up until about a year or so ago, one of the most common questions was, "What is your mother's maiden name?" The problem with using only one question, and worse this particular question, is that every account that needed to be secure would have the same question and answer. An answer, at that, not difficult for the average person to discover with a small amount of legwork. If used in a nefarious way to access one account it could easily be used to access any other account. Bad people can easily pretend to be you and claim they were locked out of your account. Armed with some basic knowledge of you they can be granted access to your account relatively easily.

Secure websites have been attempting to increase security through the use of multiple security questions. Many online accounts now require that you setup three security questions. Some typical questions include:

What was the first car you owned?
What is your favorite car you drove?
What was the worst car you ever drove?
What was the name of your first grade teacher?
What is the first name of your oldest sibling?
What is the name of the first company you worked for?
In which city were your born?

The flaw in security questions is that they only offer a modicum of security because the questions tend to revolve around personal information about ourselves that is common knowledge or could be easily discovered. Questions are designed so that the answers we provide would be easy for us to remember. And, because it is natural to make things easy to remember we stick to what we know. And, because we stick to what we know we answer these kinds of questions honestly.

Maybe your moral backbone prevents you from lying but, I assure you, there is no better time to lie than when it comes to creating answers to your security questions. Lying really is the best policy. Falsifying answers makes it harder for other people to guess or otherwise discover the answers. You can use the same security questions for multiple accounts but, randomize the answers for each so that if one account was compromised through your answers it only impacts that one account. The best way to retain your questions and answers is by using a password manager. Most people seldom need to retrieve this information so it only makes sense to store it someplace secure.

Since the answers to the questions should be nonsense I suggest that the questions should be nonsense too so that everyone is forced to use a nonsensical answer. How about something like:

Question: If the four sides of an isosceles triangle are not square but circular what is the angle of the left side?

Answer: 15 gallons

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.