Friday, February 7, 2014

Just sayin': Digital security

Warning, as the title indicates, this post verges on being a rant!

I just had to go through the process of changing the password and security questions on one of my financial accounts – yet again – and this reminded me all over again that sometimes we get pretty dumb about digital security.

Don’t get me wrong, I used to work in the digital world and I don't take digital security lightly, but that's just my point. We are often under the mistaken impression that the processes in place have secured our accounts when often they really haven't.
 
Take expiring passwords. We jump through hoops that make us feel good about our security, namely changing passwords regularly, but it's often not actually doing anything useful for us. For example, in the corporate world, where a hacked account can be used to surreptitiously sneak in and pilfer little bits of information time and time again as long as it’s done intelligently and doesn’t trip any alarms, regularly changing passwords makes sense. This means even the successful account hacker has a limited amount of time to get up to their nefarious deeds before access is denied and they need to start over again. But what is the sense in forcing me to change the password on a financial account?? The hacker isn’t trying to get my client list or discover my business strategy for the 4th quarter, he/she is after funds and that’s something that’s going to be noticed pretty damn quickly! And then I’m hardly likely to sit around waiting for my current password to expire before changing it!

And the security question thing is a joke!

It doesn’t get asked very often, at least that’s my experience, but once in a while, if there is a question about the integrity of the account access, then the security question & answer thing is supposed to provide another layer of protection.

Yeah right! How hard do you think it is for me, or anyone else, to come up with your mother’s maiden name??? That’s public information!! So is the name of the high school you attended or the street your first house was on and your mother’s father’s first name. All questions I've seen on the lists of security questions you can choose from.

Now you have to be a pretty interesting target for someone to invest the time it takes to find some of this information and I suspect most of us just aren’t that interesting, but the point is, that information is out there so these types of so-called security questions aren’t really providing security at all!

And in this day and age of social networking where we tend to forget we aren’t just having a conversation with a ‘friend’ but rather with the entire world, even the answers to seemingly more obscure questions, such as the name of your first pet or your favorite color, aren’t necessarily that hard to come by.

But of course, effective or not, secure or not, security questions are not going to go away. There’s a whole economy built up on supplying ‘security’ for a fee. A whole bunch of third-party companies exist only because they are selling security services to anyone that will bite, corporations, banks, mom-and-pops, even high profile private individuals, and they do this by convincing clients, including my banker, who, to be fair, is a financial person and doesn’t know diddly-squat about digital security, that expiring passwords and a secondary wall of standard security questions is the way to go. So, since I can't fix the underlying issues, nor am I interested in trying, my solution is to offer up nonsense.

For instance I would never, under any circumstances, secure an account with my mother’s actual maiden name but, since there is a high likelihood that someone is going to ask me to do so at some point my strategy is to give a nonsense answer. What’s my mother’s maiden name? King Henry the Third. Obviously that’s not really her maiden name, (Nor is it the answer I actually use which is just as nonsensical but I’m clearly not going to tell you what it is!!) so now the answer to that question is undiscoverable unless I tell someone what it is, (And if I do that I deserve what happens next!) and it still works even though the answer is technically wrong. It works because you get asked one of your security questions, you give them the answer they expect, and you’re in. Nobody’s checking to see if you really did live on Dining Room Street when you were 20, they just want the answer to match the question.

I’ve further developed this strategy to address the fact that I have a number of different accounts of various types and most of them have some variant of the security question defense. Some of these accounts are secured with a single security question but many others have three different questions that may be asked at random, requiring three different answers. So, other than writing them down, which opens a whole ‘nother can of worms, how to keep all these answers straight when the answers are random nonsense?

It’s pretty simple actually. Pretty much every time, you can count on at least one of the available choices to ask about a name, another to ask about a street and yet another to ask about a pet. It doesn’t matter what the actual question is,;what street was your first apartment on?, what street do your parents live on?; what street is your favorite restaurant on?; as long as it has ‘street’ in it I have a stock, nonsensical, answer, the same with any question that has ‘name’ or ‘pet’ in it. Now I only have three answers to remember for all my accounts and I’m not quite so old that I can’t remember three words.

Once in a while you won’t get all three, name, street and pet, offered up, but in my experience you are allowed more than one try at getting through the security question bit so as long as even one of the questions fits your standard nonsense answers you’re all right.

And now for something slightly different, but still along the same general lines; if you ever have the need to call your doctor about something; test results, prescription, insurance status, whatever; whoever answers the phone is most likely going to verify that it’s really you by asking for your birthdate. get that right and they'll tell you anything. Though nearly criminally stupid, this is very common in the whole medical industry, including insurance companies!

Just how hard is it to come up with someone’s birthdate? In case you don’t know the answer; not very. Not only is it public information, but we tend to make it even easier than that! How many social networking sites, email accounts, etc. either insist, or make it an option, that you give your birthdate? Just now I only had to click through three random blogs on a popular blogging site to come up with names and birthdates of two people and I didn’t even have to click the ‘view complete profile’ link on one of them to do it. Pretty damn scary.

Just like with my mother’s maiden name, I would never give out my actual birthdate, and not because I don’t want people to know how long I’ve been around. In fact I usually use the correct year, because hey! I’m at an age now where I can see my own eyebrows without a mirror and can pluck ear-hairs with my bare fingers, and I’ve earned every one of those years dang-it! But I change the month and day to something that's not mine. Again, I have a stock answer so it's easy to remember and now, though my birthday is just as easy to find as anyone else's, if someone tries to use that information to gain access to my stuff, it won't work. . .
 
It's not perfect, theoretically if something akin to the recent Target hack happens to one of the institutions I do business with, my nonsensical answers or birthdate might be compromised, but it's certainly better than just going along with the herd while there's wolves lurking in the tree line!

No comments:

Post a Comment