How secret are secret questions?

Please do be polite and don't spill my beer

Moderator: The Kurators

User avatar
Mr Onion
Site Moderator
Posts: 6649
Joined: Sun Feb 23, 2014 3:13 pm
Location: Between two Super 20's

How secret are secret questions?

Post by Mr Onion » Fri Oct 04, 2019 11:34 am

I have been saying this for years, pass it around and help everyone else
The secret questions and answers you use to recover an account should be secret right? That might be harder to do than you think.

Mother’s maiden name? Where were you born? Name of your first pet? Everyone is familiar with these questions and no doubt you’re familiar with the answers. The problem is that all your friends, family and potentially anyone on your social media could be pretty familiar with those answers too.

Google have endeavoured to analyse how secure and effective the secret question/secret answer system is, specifically when deployed on their services. Read the full report HERE

The problem IS Facebook

A Facebook profile can be a treasure trove of information for the budding social engineer which can take very little effort to access, particularly if your privacy settings aren’t up to snuff. Of course the same could apply to any social profile but Facebook generally features the most personal info.

Your DOB, significant others name and DOB, where you live, where you have lived, your family and subsequently their DOBs, addresses, maiden names, wedding anniversaries etc.

Not only is it a treasure trove but, as you might have noticed, it contains the answers to a great many of the standard cookie cutter secret questions.

As a slightly tangential point: all those ‘fun’ Facebook quizzes that ask you for your mother’s maiden name, first pets name, road you grew up on and spit out your superhero name? They may be perfectly innocent but if you answer honestly you’re handing over the answers to some popular account recovery questions.

Remember honesty isn’t a requirement: Facebook aren’t going to fact check you and decline your secret answer if it isn’t the truth. So long as you can remember it your mother’s maiden name could be Godzilla, or Yy5q$e4VSRFK.
Strong secret answers

Luckily Jake Moore, ESET Security Specialist, is here to give us some advice on how to develop strong, memorable and secure secret answers.

“Try wrapping the answer you would normally use in a code to obfuscate the answer: a simple formula which you can remember but makes your secret answer very difficult to guess.

“An easy one could be the first and last letters of your mother’s name, so if the question is “what is your favourite colour” and your answer in pink, if you mothers name is “Sarah” then your answer would be spinkh, simple for you to remember but not easily guessed.”

Alternatively, as Google and Jake suggest, companies and users could make use of one-time-passwords or text alerts when resetting or recovering a password or username.

“OTP or one time passwords are a good general way of validating who you are, of course, it's not foolproof but it’s a lot better than just sending an email.”
SOURCE
James
_________________

Fluted Afro LP12, Khan, KEEL, Cirkus, Tranquillity, Urika, Radikal (with Allium Skin Mods), EKOS SE/1, sKale, DVXX-2mkII
Consonance Ref 2.2 Linear (upgraded) with Marigo Lab Aida CD Mat
NACish 72, NAPish 250, Kudos Super 20's

User avatar
LD100
Full Member
Posts: 448
Joined: Sun Jun 18, 2017 10:57 am
Location: Chicago, Illinois USA

Re: How secret are secret questions?

Post by LD100 » Fri Oct 04, 2019 11:58 am

Mr Onion wrote:
Fri Oct 04, 2019 11:34 am
I have been saying this for years, pass it around and help everyone else
Indeed, the less correct information out there on the internet about you the better.

I try my best to leave a zero footprint on the web...no social media accounts...and yet when I google my name, I still come up on the internet but listed as the wrong race, religion, and political affiliation...and I have no intention of correcting that.

I'm still trying to figure out the appeal of the whole social media phenomena. I can understand famous people and kids wanting to post things about themselves, but what about everybody else? An attempt at their two minutes of fame?

But since I'm old as dirt, I suppose I shouldn't be expected to understand newfangled technologies.
Now what did I do with that 78 of the Andrew Sisters? :smt017
Original 1978 Fluted Afromosia LP12, Ekos 2, Lyra Kleos SL and lots of other stuff from the 70's that still work fine.

Kitts
Posts: 1
Joined: Tue Nov 05, 2019 12:08 pm

Re: How secret are secret questions?

Post by Kitts » Wed Nov 06, 2019 3:54 pm

Aren't they building "shadow" profiles on everyone anyway?

Lanark
Full Member
Posts: 12
Joined: Sat Sep 07, 2019 1:21 pm

Re: How secret are secret questions?

Post by Lanark » Sun Nov 10, 2019 1:50 pm

I use a password manager and just use the password as the answer to every question.

It does meant that theres no 'fallback option' but the password manager remembers the password anyway which means that forgetting the password is never going to be an issue.
Turntable - Fluted Walnut LP12, Cirkus, Kore, trampolin, Ittok LVII, Lingo 4, Krystal.
Amplifier - Arcam A32.
Speakers - Spendor S-3/5.
CD Player - Linn Genki.
Tuner - Quad FM 4 (with output stage mod.)
Cables - Naim NAC A4.
Support - Sound Organisation.

MHmusic
Full Member
Posts: 861
Joined: Thu Jul 02, 2015 7:11 pm

Re: How secret are secret questions?

Post by MHmusic » Mon Nov 11, 2019 6:13 pm

LD100 wrote:
Fri Oct 04, 2019 11:58 am
Mr Onion wrote:
Fri Oct 04, 2019 11:34 am
I have been saying this for years, pass it around and help everyone else
Indeed, the less correct information out there on the internet about you the better.

I try my best to leave a zero footprint on the web...no social media accounts...and yet when I google my name, I still come up on the internet but listed as the wrong race, religion, and political affiliation...and I have no intention of correcting that.

I'm still trying to figure out the appeal of the whole social media phenomena. I can understand famous people and kids wanting to post things about themselves, but what about everybody else? An attempt at their two minutes of fame?

But since I'm old as dirt, I suppose I shouldn't be expected to understand newfangled technologies.
Now what did I do with that 78 of the Andrew Sisters? :smt017
I used to work with an IT guy that was determined to stay ‘off the grid’ as they say and he was deadly serious about it. Avoided having his photo taken and tbh his paranoia about this drive everyone a little crazy. Paid in cash, avoided cctv, all sorts. His partner was impacted most of all because everything was instead in her name :) - I just loved the logic of this. He wasn’t dubious or dodgy in any way, just paranoid. He was right of course that everything could be captured and he could be profiled by corporates, nations or ‘bad guys’ but it impacted what he did and often those with him more than it seemed worth somehow, unless he was planning a coup in later life :)

Anyway, one day we had a secret squirrel offshoot company in showing us their big data product (this was way back when before it was called that) and they were showing us how it had been used in a ‘country’ to see who had likely been meeting up. Using card expenditure, ATM usage records, social media, corporate retail data, etc etc etc . It was nning and development clearly driven by counter terrorism depts. They were hoping we would leverage it for fraud or sales etc. Without using their system one of their reps spent 20 mins with my colleague and showed him why he was kidding himself. He turned up photos and all sorts just from public sources. Some of which he knew nothing about (photos etc.). He gave up and is on FB now :)

MHmusic
Full Member
Posts: 861
Joined: Thu Jul 02, 2015 7:11 pm

Re: How secret are secret questions?

Post by MHmusic » Thu Nov 14, 2019 11:17 am

This reminded me of another 'encounter' with a secret squirrel supplier from Israel many years ago now. They arrived to demonstrate a call centre telephone recording system that allowed instant and live call access for ongoing staff monitoring (training) and threat calls. it provided instant access to any calls over the past 12 months or so. At the time we were using Racal tapes for checking call transcripts to validate what was said for serious issues but nothing more and it was tedious at best. Anyway - I digress.

They arrived en masse and as ever spoke better english than we did and gave a hugely impressive presentation. They then asked if they could show us 2 other products. The first was a live word recognition system that would in effect spot a long set of key words used in telephone conversations and alert someone immediately with live monitoring. The most obvious word being bomb but it could be anything. It transpired that this had been created to monitor a whole country's phone calls and so capacity was not an issue. Worked nningly well, even when we chose our own words and in different accents. They said it was deployed in several other countries at national level and one not 'far from here' :)

The second one was capable of capturing voice and conversational prints in R/T and allowing you to recognise a customer and then 'verify them' to a level that would it seemed satisfy bank security. A % certainty being calculated throughout the whole call. They claimed that it could even identify the real person but when under duress, due to the understandable changes. It worked by capturing a print over time of a verified person and creating a profile. BTW this tech is embedded and employed across a whole range of businesses and banks etc albeit by now improved/extended I am sure.

Anyway - it dawned on me while listening that if they could recognise the tones, cadence etc. to create what looked like a wave form, didn't that allow them to take that and apply it to a voice to mimic someone exactly. It was all very relaxed up until then and I never did get a reply because all of a sudden they could only speak hebrew and they packed up their ff citing another urgent appointment. :)

If anyone watched that recent tv drama The Capture you can perhaps guess how this has evolved. Scary ff but just a little bit exciting in a nerdy sort of way.

HiFi Kabin : Disclaimer