I just had to go through the process
of changing the password and security questions on one of my financial accounts –
yet again – and this reminded me all over again that sometimes we get pretty dumb
about digital security.
Don’t get me wrong, I used to work
in the digital world and I don't take digital security lightly, but that's just my point. We are
often under the mistaken impression that the processes in place have secured our accounts when often they really haven't.
Take expiring passwords. We jump through hoops that make us feel good about our security, namely
changing passwords regularly, but it's often not actually doing anything useful for us. For example, in the corporate
world, where a hacked account can be used to surreptitiously sneak in and
pilfer little bits of information time and time again as long as it’s done intelligently
and doesn’t trip any alarms, regularly changing passwords makes sense. This
means even the successful account hacker has a limited amount of time to get up
to their nefarious deeds before access is denied and they need to start over
again. But what is the sense in forcing me to change the password on a
financial account?? The hacker isn’t
trying to get my client list or discover my business strategy for the 4th
quarter, he/she is after funds and that’s something that’s going to be noticed
pretty damn quickly! And then I’m hardly likely to sit around waiting for
my current password to expire before changing it!
And the security question thing is a
joke!
It doesn’t get asked very often, at
least that’s my experience, but once in a while, if there is a question about
the integrity of the account access, then the security question & answer
thing is supposed to provide another layer of protection.
Yeah right! How hard do you think it
is for me, or anyone else, to come up with your mother’s maiden name??? That’s
public information!! So is the name of the high school you attended or the street
your first house was on and your mother’s father’s first name. All questions I've seen on the lists of security questions you can choose from.
Now you have to be a pretty
interesting target for someone to invest the time it takes to find some of this
information and I suspect most of us just aren’t that interesting, but the
point is, that information is out there so these types of so-called security questions
aren’t really providing security at all!
And in this day and age of social
networking where we tend to forget we aren’t just having a conversation with a ‘friend’
but rather with the entire world, even the answers to seemingly more obscure questions, such as the name of
your first pet or your favorite color, aren’t necessarily that hard to come by.
But of course, effective or not,
secure or not, security questions are not going to go away. There’s a whole economy built
up on supplying ‘security’ for a fee. A whole bunch of third-party companies
exist only because they are selling security services to anyone that will bite,
corporations, banks, mom-and-pops, even high profile private individuals, and
they do this by convincing clients, including my banker, who, to be fair, is a
financial person and doesn’t know diddly-squat about digital security, that
expiring passwords and a secondary wall of standard security questions is the way to go.
So, since I can't fix the underlying issues, nor am I interested in trying, my solution is to offer up nonsense.
For instance I would never, under
any circumstances, secure an account with my mother’s actual maiden name but,
since there is a high likelihood that someone is going to ask me to do so at
some point my strategy is to give a nonsense answer. What’s my mother’s maiden
name? King Henry the Third. Obviously that’s not really her maiden name, (Nor
is it the answer I actually use which is just as nonsensical but I’m clearly
not going to tell you what it is!!) so now the answer to that question is undiscoverable unless I tell someone what it is, (And if I do that I
deserve what happens next!) and it still works even though the answer is technically
wrong. It works because you get asked one of your security questions, you give
them the answer they expect, and you’re in.
Nobody’s checking to see if you really did live on Dining Room Street when you
were 20, they just want the answer to match the question.
I’ve further developed this strategy
to address the fact that I have a number of different accounts of various types
and most of them have some variant of the security question defense. Some of
these accounts are secured with a single security question but many others have
three different questions that may be asked at random, requiring three different answers. So, other than
writing them down, which opens a whole ‘nother can of worms, how to keep all
these answers straight when the answers are random nonsense?
It’s pretty simple actually. Pretty
much every time, you can count on at least one of the available choices to ask
about a name, another to ask about a street and yet another to ask about a pet.
It doesn’t matter what the actual question is,;what street was your first apartment on?, what street do your parents live on?; what street is your favorite restaurant on?; as long as it has ‘street’ in it I have
a stock, nonsensical, answer, the same with any question that has ‘name’ or ‘pet’
in it. Now I only have three answers to remember for all my accounts and I’m not quite so old that
I can’t remember three words.
Once in a while you won’t get all
three, name, street and pet, offered up, but in my experience you are allowed
more than one try at getting through the security question bit so as long as
even one of the questions fits your standard nonsense answers you’re all right.
And now for something slightly
different, but still along the same general lines; if you ever have the need to
call your doctor about something; test results, prescription, insurance status,
whatever; whoever answers the phone is most likely going to verify that it’s
really you by asking for your birthdate. get that right and they'll tell you anything. Though nearly criminally stupid, this is very common in the whole medical
industry, including insurance companies!
Just how hard is it to come up with
someone’s birthdate? In case you don’t know the answer; not very. Not only is
it public information, but we tend to make it even easier than that! How many
social networking sites, email accounts, etc. either insist, or make it an
option, that you give your birthdate? Just now I only had to click through three
random blogs on a popular blogging site to come up with names and birthdates of
two people and I didn’t even have to click the ‘view
complete profile’ link on one of them to do it. Pretty damn scary.
Just like with my mother’s maiden
name, I would never give out my actual birthdate, and not because I don’t want
people to know how long I’ve been around. In fact I usually use the correct
year, because hey! I’m at an age now where I can see my own eyebrows without a mirror and can pluck ear-hairs with my bare fingers, and I’ve earned every one of those years dang-it! But I change the month and day to something that's not mine. Again, I have a stock answer so it's easy to remember and now, though my birthday is just as easy to find as anyone else's, if someone tries to use that information to gain access to my stuff, it won't work. . .
It's not perfect, theoretically if something akin to the recent Target hack happens to one of the institutions I do business with, my nonsensical answers or birthdate might be compromised, but it's certainly better than just going along with the herd while there's wolves lurking in the tree line!
No comments:
Post a Comment