dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6119
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4

1 recommendation

Secret Security Questions Are a Joke

»it.slashdot.org/story/12/08/09/1···e-a-joke



Raphion

join:2000-10-14
Samsara

1 recommendation

Security questions are like leaving your back door unlocked, just incase you lose the key to the front door.



JALevinworth

@embarqhsd.net
reply to antdude

said by »it.slashdot.org/story/12/08/09/1···e-a-joke :
"...But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you."

As per: "Part of the problem is that a good security question is hard to design" - IMHO the real problem is not the question, but the answer to which most are trained to answer truly.

Most either assume or feel required to give the correct and honest answer to these questions - as if there is some way for an authority to validate those answers legally somewhere down the road if challenged.

There is no authority that presently can/will validate true answers to these questions (SSI nor DMV nor Birth Certificates, nor issuing banks that use them) if so challenged - but many/most people feel compelled to give the correct answers as if that may be true.

The solution is that individuals need to use alternative answers only known to them. Of course one needs to remember these answers, but consistently done it's just as easy as using the true, honest answer - but far, far more secure This is what I have always done and teach others to do also.

Ex: What's your mother's maiden name? - Use your pets name, or use your middle name, or your grandmother's middle name or use something random - as long as you can remember what that is (consistency helps), and most importantly that only you know what your alternative answer is.

-Jim


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by JALevinworth :

Ex: What's your mother's maiden name? - Use your pets name, ...

Absolutely.
Mix it up & keep'em guessing.
I'll frequently borrow a pet's name when it comes to online verifications.
My user name on this site is actually one of my cats names.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to antdude

my thinking is that the problem with "security questions" is that they are less secure than passwords since, a lot of times, the security questions ask you for personal information that can be dug up, like "what street did you live on when you were a child?" "what is your mother's maiden name?".. so, i use bogus information for those types of security questions..

one time, when i had a problem with my yahoo account, instead of giving me security questions to answer, they told me to tell them what the security questions were, as well as the answers.. i couldn't tell them what the security questions were but said that if they would tell me what the security questions were then i would provide the answers, but they refused to tell me what the security questions were.. uhg!



CylonRed
Premium,MVM
join:2000-07-06
Bloom County
reply to JALevinworth

Problem is remembering what was used - that is why people answer them 'honestly' and truthfully. Many have to use the questions to begin with that by the time it is needed - people do not remember the one they used.

I have this issue with my birthplace - once I used the city my family lived in when I was born instead of the city name in the hospital (where I really was born). I continually locked myself out of the website because I could not remember which one I used. I figured the one I switched to would be easier to remember - I was wrong.
--
Brian

"It drops into your stomach like a Abrams's tank.... driven by Rosanne Barr..." A. Bourdain



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to redwolfe_98

said by redwolfe_98:

one time, when i had a problem with my yahoo account, instead of giving me security questions to answer, they told me to tell them what the security questions were, as well as the answers..

The 'what are your questions' challenge was an easy way to harden a weak verification routine with data that was already there.
I had the same problem with not knowing the questions because it wasn't necessary to remember them when they were set.
I don't know of any service provider that adopted this extra challenge that actually informed it's users of the change.


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

What's even more fun is when the site security admins expect you to remember not only the answer to the security question you provided, but the question itself.

I had a particular law enforcement site that required me to call in to to replace an expired password. the admin asked me "What is your security question and answer?"

That one took a little time but I finally guessed the right question, and provided the right answer.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to antdude

Click for full size
I say Bullshit..and what the individual wrote in your link does not even come close to any lessons to be learned from Mat's problem...it should really read..Apple Security is a Joke..and always was..and even their employees you talk to have no real sense of Security or caution..they just each make up their own rules and need more training.

Even my cat agrees..
»www.newsbiscuit.com/2012/06/08/c···a-digit/


JALevinworth

@embarqhsd.net
reply to CylonRed

said by CylonRed:

Problem is remembering what was used - that is why people answer them 'honestly' and truthfully. Many have to use the questions to begin with that by the time it is needed - people do not remember the one they used.

I totally agree that it's easy to forget, and that's why consistency is key to remembering what these alternative answers are. That way when you do have to use the reminder it's not that hard to remember the alternative set - Far less hard than remembering passwords which always should be unique and not consistent.

Even more secure is mixing them up, as Snowy suggests too, but still using consistent alternate answers is still a far better system to have something else, anything else, than data that can be found elsewhere such as public records or even through social engineering.

-Jim


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

This is what really happened in Mat's own words and I think it is stupid all these other writers out there on the net and their blogs just post crap they think is important..but not really relevant..working on the heals of the tragedy he faced.

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

I spent an hour and a half talking to AppleCare. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn’t answer the security questions it had on file for me. It turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line said “Mr. Herman, I….”

“Wait. What did you call me?”

“Mr. Herman?”

“My name is Honan.”

Apple had been looking at the wrong account all along. Because of that, I couldn’t answer my security questions. And because of that, it asked me an alternate set of questions that it said would let tech support let me into my .Me account: a billing address and the last four digits of my credit card. (Of course, when I gave them those, it was no use, because tech support had misheard my last name.)

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.

We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.

»www.wired.com/gadgetlab/2012/08/···ing/all/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


JALevinworth

@embarqhsd.net

said by Name Game:

This is what really happened in Mat's own words and I think it is stupid all these other writers out there on the net and their blogs just post crap they think is important..but not really relevant..working on the heals of the tragedy he faced.

The article antdude posted preferences that even though Apple failed to ask the security question, even if they had - security questions are a weak link too.

A security discussion based on that notion is not valid to you?

This thread isn't about Matt, but in Matt's situation, although a bit hyperbole to call it a "tragedy", had many lessons that can be learned from - both institutionally and personally. The system is broken and all discussions related to the system should to be had, not stifled, whether related to Matt specifically and directly or not. You don't have to agree, just saying.

-Jim


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits

If they were asked, the perpetrator could not have answered them.. it would have end there...they were not weak..what gave you that opinion ? Do you know the questions he had ?

Apple is still the problem..not the questions..Apple does not have a clue how to secure accounts or how to implement security.

»news.cnet.com/8301-13579_3-57424···estions/

»support.apple.com/kb/HT5312?viewlocale=en_US

»discussions.apple.com/thread/405···tstart=0
56 min ago...
»discussions.apple.com/message/19···19221027

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

Matt now realizes that 2 step verification as google lays it out is good and he should have taken advantage of it.

»www.theatlantic.com/technology/a···/260822/

»googleblog.blogspot.com/2011/02/···our.html

»www.mattcutts.com/blog/google-tw···ication/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


hortnut
Huh?

join:2005-09-25
PNW
kudos:1
Reviews:
·Comcast
reply to antdude

My take on this is mirrored in other's answers.

I happen to like the questions.

But no one is going to know the High School I graduated from, nor the first street name, first pet name and so on.

I pull some information from over 150 years ago, some is from imaginary cities or cities I would like to live in and such other ilk.

For me it is consistent, but not sure how someone could deduce it from any public records. Not even friends know cities I would like to live in. When bored, use Google Maps to visit these places.

For a pet's name, sometime will give best friend's from high school dogs name.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Gee, high school must have been recently if you remember your best friend's dog's name! I haven't the vaguest idea what my best friend's horse's name was (I don't think she had a dog). I've never had a security question ask me my first pet's name...who remembers that? You were probably maybe four years old and back then pets tended to not live very long...I had three or four before the dog that lived to be almost 20 and I don't recall the names of any of the earlier ones. Plus, I had about ten cats...it's a dumb question.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



JALevinworth

@embarqhsd.net
reply to Name Game

said by Name Game:

If they were asked, the perpetrator could not have answered them.. it would have end there...they were not weak..what gave you that opinion ? Do you know the questions he had ?

I never said the questions Apple didn't ask could or couldn't have been answered. I am not talking about Apple at all.

Again, this thread isn't about Apple and Matt, this thread is an discussion about how week security questions are - Not Matt's nor Apples. Check the title (I am honestly questioning you didn't make a wrong turn to this thread from the Apple/Matt one).


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

1 recommendation

The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?

And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.

Apple, like Microsoft when they started, cared bugger all for Security and so now at this midnight hour they start to put safe guard in place and it is too late.. it is not working, it is confessing their users and owners of their products...and their is more problems with even the owners getting locked out of their own account as they play the catch up game that Apple is playing. I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.

_________________________________________________

Interesting to note one of the other people at the link antdude posted claimed..

by Cinder6 (894572) on Thursday August 09, @12:05PM (#40932671)
Hell I did it with Blizzard for what, $30 and I got a plush toy.

This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Battle.net Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.

and Blizzard was just hacked...so it is never safe out there..no matter what steps a user takes..

»Blizzard Says Battle.Net Has Been Hacked
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


carpetshark3
Premium
join:2004-02-12
Idledale, CO
Reviews:
·CenturyLink
reply to hortnut

Did the same except also used the slang name for the neighborhood. Which is on no map.

Daughter used to make up words when small. I've also used her made up vocabulary - would you know a what a word like catpiss or joppy referred to? Some were just mispronunciations.

Even the vet has trouble with our cats' names. Always has.

I can also remember instances from age 2.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
reply to Raphion

I think they are more like hiding a key in a glass jar under the bushes next to the back door.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
reply to Name Game

My wife told me that every cat has a secret name. If you knew your cat's secret name, you could use that as a hint, but your cat won't tell you.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



Spy
Premium
join:2001-09-22
NE
reply to antdude

they should just make the questions better, like how many times do you use plastic see through gloves when you use the toilet in a week or something like that.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

2 recommendations

reply to antdude

"What was your first pet's name?"
pIZZA

"Where was your bother born?"
pIZZA

"What is your maternal grandmother's first name"
pIZZA

"What is you favorite food?"
eLENORE
--
--Standard disclaimers apply.--
The preceding posting is null and void in Arizona and any other jurisdiction where prohibited by law.



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to antdude

I just put random answers and do write these down, encrypted.



JALevinworth

@embarqhsd.net
reply to Name Game

said by Name Game:

The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?

Once again, I'm totally at a loss where you're coming from concerning my words and now my thoughts. But ok, I'll play along..... No, that's not what I wanted to hear. I guess if I wanted to hear anything it would have been something acknowledging that you didn't realize you weren't in the Apple/Matt thread and therefore didn't realize you were crapping antdude's thread and a decent conversation on the general topic of password questions that was in progress. I say that only because you asked.

said by Name Game:

And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.
[snip]
I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.

*Sigh* - I am editing out what I would have said to minimize my reply here in respect to the thread, the OP, and the other posters.

Honestly, Name Game. Your replies to me confused me not only here but previously (even sans edits). They attribute words and thoughts to me I don't understand how you got. I even questioned that you didn't have me confused with someone else. Adding to that the additional postings you added which are a follow up the Apple/Matt thing (google 2-step) and not about the topic here but seemed to me were intended for that topic thread. My only explanation was thinking you were making an honest mistake. I understand now your intent is clearly to be here.

I hope you'll allow the conversation about how password questions in general are weak to continue at this point.

-Jim


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Don't be silly..you can talk about what you wish..I posted about what was found in the link..don't know if you read all the comments in that link..but I will tell you..the person who started that discussion at that link..then associating it even remotely with Mat made the same mistakes others have by not reading his own account of exactly what really happened and have no understanding on Apple's security questions. Mat has even made that clear on his twitter. What they have read is other bloggers accounts of what they think happened.
»twitter.com/mat

The link contained this statement "But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers."
To that I say bullshit again.

The rest of the stuff you just posted..I have no idea what you are talking about..but it seems you do..so have a great day
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JALevinworth

BTW this is the actual full article that blogger cut and pasted without the link posted at slashdot forum thingie...

»www.theatlantic.com/technology/a···/260835/

Rosen article not only was about Mat..she tried to spin it into something that had nothing to do with the event.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to hortnut

said by hortnut:

My take on this is mirrored in other's answers.

I happen to like the questions.

But no one is going to know the High School I graduated from, nor the first street name, first pet name and so on.

I pull some information from over 150 years ago, some is from imaginary cities or cities I would like to live in and such other ilk.

For me it is consistent, but not sure how someone could deduce it from any public records. Not even friends know cities I would like to live in. When bored, use Google Maps to visit these places.

For a pet's name, sometime will give best friend's from high school dogs name.

I like them too. Some others that are used at sites one can choose from include.
What is you childhood nickname ?
What is your father's middle name?
What was your mother's maiden name?

If you want to get fancy just use those questions..but put in info as if it was your spouse for your own account.

Many other sites are now including a small avatar type graphic that you must confirm..that you chose when setting up the account. And then even asking if you are now at the login on your home computer or a public one.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


norwegian
Premium
join:2005-02-15
Outback

1 edit

1 recommendation

reply to AVD

I don't use a lot of sites with security questions......do they allow lower case and higher case letters as such?

--------------

Back to my thoughts:

To me it starts to go back to how many sites, how many passwords, etc etc. While I understand this is about security questions, it is still relevant to some extent with passwords or any other form of authentication on the Internet...that is:

The more sites we visit with some form of authentication, the more we have to remember..for instance, our work on on tool has so much restriction on re-using passwords within a certain time frame, that it is weakening the password structure and as such I'm now answering with words for passwords not so dissimilar to answers for security questions to make it easy for my memory.

Security questions to me are very weak. Generally speaking, the general public will use legitimate answers, and hence they generally become a weak link.....half a dozen security experts can say they use obscure wording for these answers, and it is good, it helps educate us on the possibilities; however if the vast general public does not, then it is flawed, extremely flawed to start with - its no different in the discussion I have on facebook - you can use tools or you don't - the mass general public do not, and this needs to be addressed.

As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mix them all up, you end up with Mat and Apple/Amazon.....as an example.

Edit:grammer/spell
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



hortnut
Huh?

join:2005-09-25
PNW
kudos:1
Reviews:
·Comcast
reply to Mele20

I graduated in 1970, just after Woodstock, the Summer of Love, the Riots, Height of Vietnam, Sit ins, etc.

Anyway I just made something up in my head based on my Friend's older brother's features.

Yep it seems dumb, but no one is going to guess my answer.

Worked at the turn of the Century for a Telco ISP and we had two factor authentication then [only those with that Telco could have a Dial up Account]. Came across some pretty silly and strange names.