Wednesday, March 9, 2016

Your Friends Probably Know the Answers to your Secret Questions

You may have seen this article on NBC which discusses how hackers are stealing your personal info by getting you to take those fun quizzes that tell you your Jedi name or which Disney Princess you would be.

What you may not realize is you could be giving your information out to all your friends (or friends of friends) on Facebook just by sharing or commenting on a status which may lead to an account compromise, email take over, or maybe even unauthorized access to your banking account.

What? No way.

Yes way. Let's take a look at what I could find just recently on Facebook, for example.

After a quick look around, this looks like a winner: a copy and paste status which asks friends to share their place of birth. Which is cool! I don't really know where my friends are born off the top of my head so it could be a neat opportunity to learn more about them right?

Sure. But here's the thing, I'm not actually friends with all the commenters to the left but I can still see their comments. Thank you to how Facebook's privacy settings work.

No big deal right?

Well, think about this for a moment... Place of birth is one of the more common questions that is used by websites to help users reset their forgotten passwords...

But Kai! My Facebook is private everywhere else! So what if you can see it through a mutual friend?

Do you know who your friends are friends with? Are you sure they are all real people with no ill intentions or fake accounts just looking for this kind of information? Because I honestly doubt it.

Okay, so maybe you need multiple secret questions. Like, perhaps a Mother's Maiden name or a high school mascot? No way you could find all that information on one person right?

I did, actually, in seconds! This info was grabbed thanks to the Facebook privacy feature of "allow friends of friends see your stuff" (paraphrasing). I was able to wander into person 'green''s profile and take a look around. And it just so happened that under the "Family and Relationships" section of green's About profile, we find a nice listing of family members, including two individuals listed as "Mother" and "Father".

But wait, there's more! With some more snooping, we find a where green went to high school. And after quick google search, I then was able to find green's high school's mascot.

So now we know person green's place of birth, mother's name, and high school mascot. All I need now is some additional recon to figure out what sites they use (doable through observation, deeper googling, or maybe even looking through other social media sites like Twitter or LinkedIn) and start plugging in the answers to those 'Secret Questions' to see if I can reset their password.

But those are known, insecure questions! They're not used anymore!

Okay, fair. Those kinds of secret questions are so 2000s. So let's take a look at something more recent.

Now these questions to the left are straight out of the 'online banking' website my own financial institution uses (with a nice little warning about how to pick easy to remember questions). At first glance, these questions look way, way better than the ones from before. But is this information as secure? I was curious so I went and did some more digging around my 'friends of a friends' Facebook profiles.

Okay, I didn't really dig. I literally found the question posted up by a friend while I was researching for this blog entry. Any of these answers could be the answer to someone's secret question "What is your favorite movie?" found above.

But why stop there? There's a whole list of movies publicly available to Friend's of Friend's on person 'pastel red''s profile!

Get what I'm getting at yet?


Okay, relax. It's not as terrible as it sounds. While you don't know everyone of your friend's friends, it is also likely they aren't gunning after you (security through obscurity, one might say). But there are things you can (and should) do to protect yourself and your information.

  1. Protect your private information - Exactly as it sounds. Go through your social media profiles, make that secret information private to only you or only you and your friends (not friends of friends, and definitely not public). 
  2. Google Yourself - No really, do it. And do it on a regular basis. Search your common usernames, aliases, etc. You might be surprised what you find is publicly available. 
  3. Be careful what you post - Twitter, Facebook, Tumblr, Reddit, etc... These are all hot sites for hackers looking for your information. Think twice, consider what you really want out there.
  4. Be careful what you pick as private - If you pick a 'secret question' like "What's your Favorite Book", you better make sure you don't have "Harry Potter is my favorite book in the universe!" posted somewhere where anyone could see it. If you wanna talk about it, it's probably not a good candidate for keeping it 'private'.
  5. Use Two-Factor Authentication - Two-factor authentication adds another layer of security to your profile. If you need to access your profile, it'll require at least two of the following: something you know (like a password), something you have (like a token or randomly generated code), or something you are (like a fingerprint or retina scan). Seem cumbersome? Well, guess what, if those hackers figure out how to reset your password (something you know) they'll be SoL when it comes to the second factor of authentication (something you have/are) because they simply won't have it. This protects your stuff from unauthorized access and might also alert you if someone is trying to mess with your account. Many websites/ web email/ banking institutions/ etc. offer this kind of authentication nowadays and it can be as simple as receiving a generated code via text. For example, you can set this up on Facebook under the "Security" tab under Settings right now!

A huge part of keeping your information safe is just using some common sense. Be mindful of what and where you post your information. And if you see your friend's posting their information everywhere, maybe give them a nudge and let them know what the consequences could be. And always remember that keeping safe on the internet is a constantly changing task that everyone should be aware of.

No comments:

Post a Comment