Stupid Security Questions

I’ve always have a problem with security questions asked by banks and other financial institutions. For one part, these security questions are not really that secure and are easy to guess and reverse engineer. In 2008, the Republican vice-presidential candidate, Alaska Governor Sarah Palin’s email hacked by guessing the answers of security questions. From a Wired report on the account of the email crack.

The Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Recently, it was reported that President Obama’s Twitter account was hacked by guessing the security question related to password recovery systems. These type of ‘hacks’ require no computer science degree, computer security expertise, or black hat hacking skills. This is the sort of ‘hacking’ that an ex might find themselves doing on your Facebook account. I would not put a lot of blame on curious kids with a lot of time on their hands and an internet connections, I put the blame on enterprise software architects that impose stupid and weak security systems in place.

At first, security questions consisted of naming the town you where born, or the maiden name of your mother. Then the progressed to the name of your third grade teacher, then the last name of your fifth girlfriend, then to the where you where in the 1989 Loma Prieta earthquake, and they have gotten worse since then. Here are some security questions I found myself forced to answer.

  • Who was your childhood hero?
  • What is the first and last name of your first boyfriend or girlfriend?
  • Which phone number do you remember most from your childhood?
  • What was your favorite place to visit as a child?
  • Who is your favorite actor, musician, or artist?
  • What was the last name of your third grade teacher?

The problem now, with the current trend of security questions, is that even I don’t know the answers to them or that their answer might change over time. Trying to answer any of the the above security questions in five years from now and you might sounds like the following… “I liked both Spiderman and Wolverine, but I might have answered Superman. I liked Britney Spears then, but not as much as Miley Cyrus, but wasn’t Lady Futura big then.”

I think that security questions are not secure or practical. They are a annoyance for users and high light security flaws in computer systems.

Here is a list of security questions considered good and notice that they all suffer from the issues outline here, they are either easy to guess or easy to forget.

  • What was your childhood nickname?
  • In what city did you meet your spouse/significant other?
  • What is the name of your favorite childhood friend?
  • What street did you live on in third grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900)
  • What is the middle name of your youngest child?
  • What is your oldest sibling’s middle name?
  • What school did you attend for sixth grade?
  • What was your childhood phone number including area code? (e.g., 000-000-0000)
  • What is your oldest cousin’s first and last name?
  • What was the name of your first stuffed animal?
  • In what city or town did your mother and father meet?
  • Where were you when you had your first kiss?
  • What is the first name of the boy or girl that you first kissed?
  • What was the last name of your third grade teacher?
  • In what city does your nearest sibling live?
  • What is your youngest brother’s birthday month and year? (e.g., January 1900)
  • What is your maternal grandmother’s maiden name?
  • In what city or town was your first job?
  • What is the name of the place your wedding reception was held?
  • What is the name of a college you applied to but didn’t attend?
  • Where were you when you first heard about 9/11?

Another trend that I have noticed is that financial institutions and credit companies have a lot of private data on you and other perspective borrowers. So they don’t need to ask you such security questions, they can generate they own and match your answers to the years of paper trail and data fingerprints they have on you. If you call your bank in the near future, don’t be surprised if they ask you who you lose your virginity to.

Computer Error Led to 50 Plus Visits from the Police

The home of an elderly couple in Brooklyn, New York was visited by police “50 or so” times over a span of 8 years. If you’ve had the police come for a visit, you would know that they don’t bearing gifts. When the police come a knocking, they might pound your door in with a battering ram and kill you dogs. So you can only imagine what fright the retired couple had to endure. The numerous police visits where traced to a software glitch in a computer system used by the New York Police to track crime complaints and criminal activity. As it is customary for Associated Press reports, there is very little information or follow up on the nature of the software system in question. The exact details behind the computer error were not given, other to say that the error started in 2002 when the police upgrade from a manual process to an automated computer system.

From working with a variety of computer systems, I know how an error like this can potentially have been introduced. Often times, when working on a new software feature, you have test said features but with fake data. A common practice is to simulate a small portion of the computer system with fake data to mock the environment. In the worst situations, actual test data or test conditions are hard coded in the actual application. If fake test data is embedded in a production system, like that used by the New York Police, their might be certain conditions like a certain date or time or report type that will trigger the test data to percolate to the surface.

Along this lines, I have seen certain feature in a computer system not function correctly because it is installed in a Windows Vista as opposed to Windows Vista, or that on leap years it behaves erraticly, or that if you installed it on the D: drive as opposed to the C: drive you won’t be able to save files, etc.

As we wrap database and computer systems around every piece of personal data, from credit report to no fly lists, it is important to design them in such a way to limit the number potential victims of said systems. For example, if you are a victim of identity theft you will have to go to great lengths to clear your name and credit history because of how these systems are replicated and copied and ultimately considered to never be wrong.

Sources: