Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets I’m constantly amazed by the number of sites, even financial institutions that ignore NIST recommendations (why don’t US companies follow US guidelines?).įrom NIST SP800-63b (published June 2017): This entry was posted on Monday 9th of April 2018 12:31 AM Many thanks to RonM for assistance with this post. Just make sure you have a method for remembering your phony answer, in case you forget the lie somewhere down the road. In fact, I have railed against this practice for years, precisely because the answers often are so easily found using online services and social media profiles.īut if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully. I hope readers don’t interpret this story as KrebsOnSecurity endorsing secret questions as a valid form of authentication. Just take the ongoing scandal involving Cambridge Analytica, which reportedly collected data on more than 50 million Facebook users without their consent and then used this information to build behavioral models to target potential voters in various political campaigns. This practice may even help turn the tide of elections. Giving away information about yourself, your likes and preferences, etc., can lead to all kinds of unexpected consequences. “What is your favorite band?” is definitely a common secret question, however: I’ve never seen a “what was the first concert you ever saw” secret question, but it is unique as secret questions go and I wouldn’t be surprised if some companies use this one. Incredibly, 6,800 Facebook users answered this question.ĭo you remember your first grade teacher’s name? Don’t worry, if you forget it after answering this question, Facebook will remember it for you: I hope this is painfully obvious, but for many people the answer will be the same as to the question, “What was the make and model of your first car?”, which is one of several “secret questions” most commonly used by banks and other companies to let customers reset their passwords or gain access to the account without knowing the password. It asks Facebook users, “What car did you learn to drive stick shift on?” Nevertheless, your answers to these questions may live in perpetuity online, giving identity thieves and scammers ample ammunition to start gaining backdoor access to your various online accounts.Ĭonsider, for example, the following quiz posted to Facebook by San Benito Tire Pros, a tire and auto repair shop in California. On the surface, these simple questions may be little more than an attempt at online engagement by otherwise well-meaning companies and individuals.
What’s more, I’m constantly asking friends and family members to stop participating in these quizzes and to stop urging their contacts to do the same. But I thought it was worth mentioning because certain social networks - particularly Facebook - seem positively overrun with these data-harvesting schemes. I’m willing to bet that a good percentage of regular readers here would never respond - honestly or otherwise - to such questionnaires (except perhaps to chide others for responding). Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.