Topic 'What is the risk of this?' in forum 'Security' - dslreports.com

Re: What is the risk of this?

Mon, 03 Dec 2012 13:53:38 EDT

Snowy posted :

said by AVD:

It wasn't until there was movement in Congress to assert the privacy of SSNs that such practices faded away. But until Congress moved, no amount of rhetoric could persuade the organization or the state to change their practices.

it sorta happened overnight, except for the example I cited which happened about 3 years ago.

I can make a calculated guess @ what you were eating that day.
I'd even say how many slices you had but with much less certainty. :)

Re: What is the risk of this?

Mon, 03 Dec 2012 13:29:55 EDT

EGeezer posted :

said by anon user :

I can't change the password to my account on a site with out clicking on Forgot user name and password, and then answering the security questions - even while I know the correct user name and password.

What is the security risk of that?

It's less risk than being able to change the password without having to provide the answers.

said by Snowy:

What would you hear if you asked The Teenage Mutant Ninja Turtles what is their favorite food?

Turtle soup.

--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

Re: What is the risk of this?

Mon, 03 Dec 2012 13:07:34 EDT

AVD posted :

said by Blackbird:

it sorta happened overnight, except for the example I cited which happened about 3 years ago.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: What is the risk of this?

Mon, 03 Dec 2012 12:51:56 EDT

dave posted :

said by AVD:

and you miss my point. The trick is to answer those questions in an non obvious way.

That's ok if you often use the same unobvious way. But I find if I get too creative, it's harder to remember my lies than it is to remember the actual password, thus rendering it pointless.

Re: What is the risk of this?

Mon, 03 Dec 2012 12:12:33 EDT

Blackbird posted :

said by AVD:

said by Blackbird:

said by anon user :

...That is what they do, but they only ask for: Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)
So, how safe/risky is it - what they are doing?

Are you an employee of the organization? That is, is this an access portal into the company network?

My company used the full 9 digit SSN to validate initial signups to an internet based benefits portal. I think saner heads prevailed.

An organization I once was part of used SSNs for their employee ID numbers... and then put those numbers on the face of the badges. Ditto for this state using the SSN for your driver's license ID number. It wasn't until there was movement in Congress to assert the privacy of SSNs that such practices faded away. But until Congress moved, no amount of rhetoric could persuade the organization or the state to change their practices. Using a SSN for ID over the Internet is just plain wrong.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Re: What is the risk of this?

Mon, 03 Dec 2012 11:55:10 EDT

AVD posted :

said by Kilroy:

said by AVD:

pizza
pizza
pizza
bronx, ny

All fine until you get to the sites that require six characters in your answers and won't allow any two to be the same.

Back to the OP, the security risk is that someone who knows you well may know the answers to your security questions. This is the issue I have with this method of password resets. What is stopping your soon to be ex from hijacking your accounts and making your life a little more miserable? Forget the fact that most of these questions can be answered by using someone's Facebook page.

and you miss my point. The trick is to answer those questions in an non obvious way.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: What is the risk of this?

Mon, 03 Dec 2012 11:46:34 EDT

Kilroy posted :

said by AVD:

pizza
pizza
pizza
bronx, ny

Re: What is the risk of this?

Mon, 03 Dec 2012 11:22:04 EDT

AVD posted :

said by Blackbird:

said by anon user :

...That is what they do, but they only ask for: Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)
So, how safe/risky is it - what they are doing?

Are you an employee of the organization? That is, is this an access portal into the company network?

My company used the full 9 digit SSN to validate initial signups to an internet based benefits portal. I think saner heads prevailed.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: What is the risk of this?

Mon, 03 Dec 2012 11:21:00 EDT

Blackbird posted :

said by anon user :

...That is what they do, but they only ask for: Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)
So, how safe/risky is it - what they are doing?

Are you an employee of the organization? That is, is this an access portal into the company network?
--
�The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.� A. de Tocqueville

Re: What is the risk of this?

Mon, 03 Dec 2012 07:38:15 EDT

AVD posted :

said by dave:

Your mother's maiden name was 'pizza' ?
You went to school at pizza high?
Your first pet was pizza?

that's the whole point isn't it?
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: What is the risk of this?

Fri, 30 Nov 2012 22:28:37 EDT

anon posted : My apologies for doubting you.
As dave mentioned earlier if the challenge question answers consist of data the site already has then it's not the huge issue it would normally be seen as.

However, exchanging a password for only the challenge question answers is not too sharp, actually it's piss poor security, IMO.

Snowy-not-logged-in

Re: What is the risk of this?

Fri, 30 Nov 2012 20:28:38 EDT

anon posted :

said by Snowy:

said by dave:

I now suspect this might be a troll.

The OP could post the site address to prove otherwise but I'm doubting the site exists.

It is at »ws1.aholdusa.com/jgpromos/homeac···dex.html

I can not for security reasons tell you the answers to the security questions OR give to you my account info so that you can verify, once logged in you can not change the password.

Re: What is the risk of this?

Fri, 30 Nov 2012 18:45:02 EDT

Snowy posted :

said by dave:

I now suspect this might be a troll.

The OP could post the site address to prove otherwise but I'm doubting the site exists.

Re: What is the risk of this?

Fri, 30 Nov 2012 18:35:31 EDT

dave posted : They want your social security number - what could possibly go wrong with that?

I now suspect this might be a troll. Apologies if I'm accusing you unjustly - but really, do you have to ask about using your social security number as identification? (Unless, perhaps, this is some financial web site where they have that data anyway; but you're not giving a lot of detail, which helps me suspect trolling).

Re: What is the risk of this?

Fri, 30 Nov 2012 18:27:24 EDT

anon posted :

said by dave:

The lesser risk depends on how the forgot-my-password mechanism is arranged. If they give you a new password right there in exchange for questions of the mothers-maiden-name variety, it's not particularly secure: such data can be found out.

That is what they do, but they only ask for:
Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)

So, how safe/risky is it - what they are doing?

Thanks

Re: What is the risk of this?

Fri, 30 Nov 2012 04:02:32 EDT

Laura_cyber posted : The main risk includes is that, your account can be hacked easily with little efforts.
Try to switch on other secured options available on the web, it would be more convenient for you then.

Re: What is the risk of this?

Thu, 29 Nov 2012 22:10:53 EDT

Snowy posted : What would you hear if you asked The Teenage Mutant Ninja Turtles what is their favorite food?

Re: What is the risk of this?

Thu, 29 Nov 2012 21:43:55 EDT

dave posted : Your mother's maiden name was 'pizza' ?
You went to school at pizza high?
Your first pet was pizza?

Re: What is the risk of this?

Thu, 29 Nov 2012 18:34:06 EDT

Snowy posted :

said by anon user :

What is the security risk of that?

On the other side of that...
It adds a layer of authentication, as in a 2 factor challenge if it's in addition to just using a registered email address to send a password token.

Using a hijacked email account to get access to different password protected sites is a daily occurrence.
This policy would eliminate or at least slow down an account hijacking depending on the strength of the security challenge Q & A's.

Re: What is the risk of this?

Thu, 29 Nov 2012 16:46:58 EDT

AVD posted : pizza
pizza
pizza
bronx, ny

Re: What is the risk of this?

Thu, 29 Nov 2012 16:30:45 EDT

dave posted : The main risk is that a site that fails to provide a way to change your password directly is incompetent, and probably has other problems too.

The lesser risk depends on how the forgot-my-password mechanism is arranged. If they give you a new password right there in exchange for questions of the mothers-maiden-name variety, it's not particularly secure: such data can be found out. If they mail you a link to reset the password, it's a little better: someone needs to intercept your mail as well.

What is the risk of this?

Thu, 29 Nov 2012 16:24:32 EDT

anon posted : I can't change the password to my account on a site with out clicking on Forgot user name and password, and then answering the security questions - even while I know the correct user name and password.

What is the security risk of that?

Thanks