Are insecurity questions designed to help hackers?
If you read this blog regularly, you know that the main purpose of insecurity questions is to help hackers get into your account. This is a testable theory. For example, one of the drawbacks, as far as hackers are concerned, is that the number of answers is unlimited. While it’s likely to be pretty easy to guess what your favorite dog breed is just by watching your Facebook feed, it’s possible that you use an odd spelling, or don’t know what your dog’s breed actually is.
The latest twist on insecurity questions solves that problem for hackers, while making it harder for the account owner whose answers differ from the norm to remember the answers. Instead of a free-form input, you’re provided with a small number of valid answers. I discovered this the last time I went to log in to my United Airlines MileagePlus account. They required that I change my answers, and instead of being allowed to type my own answers, I was forced to choose an answer from a small list.
Now, if your theory is that insecurity questions are there to help the owners of accounts, it’s unlikely that you would have predicted this development. It’s insane, because it does little to help you, the account owner who has forgotten their password but does know your dog’s breed, and everything to help hackers. It’s even worse if your favorite genre or favorite dog is not listed as an option. You’re very unlikely to remember which option you chose in its place—or you’re going to assist hackers by always choosing an item at the top of the list.
I noticed immediately that some of the lists were ridiculously small. The list of musical genres includes only twenty-one items. Jim Fenton went through a bunch of the questions and discovered that some of the questions involve months, which means that the number of answers is a mere twelve. It’s not going to take much of a security breach for a hacker’s computer program to cycle through the choices and come up with the right combination.
If that security breach is like this one described on Stack Exchange that interchanges answers, it’s going to make the month answers ridiculously easy to hack, for example.
Besides only having a limited number of options to cycle through when going through the process of hacking your account online, pre-determined answers are also normalized: if the question is what month were you born, the hacker no longer has to worry about whether you spell February correctly or not. If the question is a date, the hacker won’t have to worry about what format you use when typing dates. It’s a system designed for programmatic hacking.
This is only going to get worse. Insecurity questions are a very bad answer to a relatively rare occurrence for the individual account owner, but a relatively common occurrence for the organization: someone forgetting their password. For most individuals, the chances of your forgetting a necessary password is much less than the chance of one of your many passwords being involved in a hacking attempt or security breach of some kind. Even without that, however, insecurity questions always make your account information less secure. They provide a means other than knowing your password by which hackers can get into your account.
But insecurity questions aren’t for you. They’re for the organization hosting the account. It’s expensive to handle forgotten passwords on a one-to-one basis, so organizations naturally want to automate the process of resetting forgotten passwords. This will by its nature make these processes more useful to hackers the more the company tries to make the automated process not require human intervention.
I was only being partially facetious in the title of this post. The needs of organizations that use insecurity questions and the needs of hackers line up very closely, which means that insecurity questions are likely to continue getting easier for hackers to use.
The purpose of insecurity questions is to bypass not knowing the password. The secure answer to security questions is to not use them. Technically, insecurity questions should be treated exactly like passwords, because for all practical purposes they are passwords: they can be used to get into your account. But if we hashed the answers to security questions, required users to choose strong answers, and didn’t allow them to use easily-guessable answers, then there would be no point to them.
The tendency is going to always be to make insecurity questions less secure, because that is their purpose. They’re for bypassing security.
In response to The last four digits of your social security number: The last four digits of your social security number are the least guessable part of your SSN.
- New Research: Some Tough Questions for ‘Security Questions’: Elie Bursztein at Google
- “Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.” (Techmeme thread)
- United Mileage Plus: Jim Fenton
- “But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited.”
- Why would a website allow answers to security questions to be used interchangeably? at StackExchange
- “To reset, I'm prompted to answer both questions; however, it doesn’t matter which answer I use for which question, so long as the answer I use is correct for at least one question.”
More insecurity questions
- Security is hard, and 2FA is not the answer
- Is 2-factor authentication the magic bullet in security? Not unless we solve the real problem, which is that people always take the easy way out—and that includes service providers.
- Security questions will always be insecure
- Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
- Insecurity Questions enable harassment and abuse
- Insecurity questions are designed specifically to let someone who does not have your password access your account without having to talk to a human. The idea is that that person will be you after you forget your password, but the computer does not care. Anyone or anything with that information can access your account.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
- Mat Honan should read Mimsy
- “Because the last four numbers of your SSN are what businesses ask for, they are all that a criminal sometimes needs to use your cash or credit.”
- Two more pages with the topic insecurity questions, and other related pages