PC World: Sites’ Personal Questions May Pose Security Risk

What did your maternal grandfather do for a living? What was your high school mascot’s name? Your first pet’s name?

If you have an online account at a retailer like Amazon.com, you’ve probably run into such questions when opening an account or when trying to recover one of the dozens of passwords you juggle in your head. Online businesses everywhere have embraced the technique, which is called knowledge-based authentication.

Theoretically, the answers to these questions are so personal and obscure that knowing them proves you are you. Experts say, however, that the technology could end up helping hackers compromise your online accounts more easily.

Knowledge-based authentication doesn’t replace user names and passwords; it’s an extra layer of security on top of such schemes, since hackers who stumble across your log-in credentials won’t easily figure out the name of your high-school sweetheart. Collecting log-in information and answers to secret questions from your computer requires keylogging software, making it harder for malicious hackers to triumph.

Phishers Get Close to Home

Jon Fisher, whose firm, Bharosa (acquired by Oracle last year), develops questions for companies to use, says knowledge-based authentication adds a step for account access. “Phishing both those pieces of information is fairly sophisticated.”

But scammers have adapted, adding secret questions to their decoy pages, says Lance James, CTO of fraud research company Secure Science. Bank phishing sites may include their own fraudulent drop-down lists that capture people’s answers, which bad guys can then use to hack real accounts.

Even when hackers don’t resort to subterfuge, these nuggets of information can be easier targets than passwords. Mark Burnett, author of has observed that seemingly random questions such as “What was the make of your first car?” have a narrow list of answers–in the case of autos, 38 major makers–that hackers can use to try to break into an account, versus a vast multitude of password combinations.

Stump the Hacker

Companies have realized the approach’s weakness, and most have broadened their lists of questions. But devising questions that are general enough for everyone to answer yet specific enough to be easy to recall is a formidable task. Most people can name a favorite movie, but their answer to that question might change over time. So getting the answer right requires recalling such details as when you answered the question–which increases your chance of making an error. On the other hand, factoids such as the city of your birth, your mother’s maiden name, or even your social security number may be public information.

“You need a question [that is] discernible if a million people see it for the first time,” says Fisher. But some questions have become esoteric, he believes. “I see it as a situation in which banks have sacrificed some usability for better security.”

“[Questions are] definitely getting weird,” says James. “I just had one that was ’What was the name of your first pet?’ but I had two dogs growing up, so I don’t know.”

Meanwhile, online social networks provide a wealth of information about individuals–including dates of birth, addresses, education histories, and personal tastes in books, movies, and the like–that crooks could tap.

Amir Orad of antifraud company Actimize doesn’t expect that people will cease sharing personal information any time soon. “I think this trend is unstoppable. You’re not going to change the behavior of 200 million Facebook and MySpace users.” Orad thinks that banks and merchants must instead develop systems to detect fraudulent practices behind the scenes, much as credit companies today have devised ways to spot suspect purchases and notify customers.

Keep It Simple, Not Stupid

Simple steps can go a long way toward thwarting authentication fraud. Orad recommends that people not resort to using any information about their personal life that might be available online. “Anything you say can and will be used against you,” he warns.

Also, you should steer online transactions toward businesses that offer more than just passwords and secret questions as protection. For example, PayPal offers a device that generates one-time passwords that you can use for secure log-ins, and Bank of America recently introduced a program that sends required PINs to customers’ mobile phones via SMS.

By Paul F. Roberts, PC World (US)