Much Ado About Security Questions
Hackers often target the email and social media accounts of the rich and famous. Why? Because they’re easy targets and a quick way to get a lot of fame. The public and private lives of celebrities and politicians are often open books. Even the most private ones share a lot of their personal lives with the world.
Most of us who watch this unfold are good-hearted, nice people who genuinely care about the people behind these larger-than-life personas. But, it just takes one bad apple in the orchard. And sometimes, there are many bad apples.
These bad apples hack into the email and social media accounts of celebrities and politicians and expose their personal photographs or communications to the world.
This happened in 2014 when some 500 photos of mostly female celebrities, many showing nudity, were hacked from private iCloud accounts and shared to cyberspace. Then, it happened twice more in 2017. And, if you want more examples, you don’t have to look far.
Why and How Does This Keep Happening?
In corporate circles, we often use the fraud triangle as a framework in explaining why and how people commit fraud. For fraud to occur, so goes the explanation, three factors must exist: motive, rationalization and opportunity. Let’s examine how these relate to the hackings of high-profile accounts:
Motive
Fraudsters have to want to commit fraud. Here, it’s pretty easy to guess that these fraudsters were motivated by the fame and notoriety that come with high-profile exploits that get many shares across the internet and generate accolades in certain circles.
Rationalization
Fraudsters need to justify the fraud so that they can live with themselves. Fraudsters are human. They need to rationalize their behavior within their own heads. While we may never know why they hack, we can guess. They may have concluded that the celebrities somehow deserved these hacks. Or, maybe the fraudsters decided that they had so much fame and money already that they somehow would not care.
Opportunity
Fraudsters have to be able to commit the fraud. If there’s no way to do it, you can’t have a fraud – even if the fraudster wants to do it and has come to peace with doing it.
Putting It All Together: Why It Matters
We can’t really control what people want to do, and how or if they will justify fraud within their own minds. We can make it harder to commit fraud, though – through removing the opportunity side of the fraud triangle.
As the news of the hacked celebrity photos broke in 2014, the race to find out how explored causes like breaches to Apple’s iCloud service and a Cloud API security weakness that allowed unlimited guessing of account passwords. Eventually, though, it came down to spear phishing – a tactic where fraudsters mine the personal information of celebrities to make guesses at their security questions, or even their passwords.
Spear phishing isn’t anything new. Hacking into someone’s account by guessing the answers to their security questions dates to at least the turn of the century. In 2004, hackers broke into Paris Hilton’s T-Mobile account when they correctly guessed that her favorite pet’s name was Tinkerbell.
The Trouble with Security Questions
The responses to security questions never change, and they’re pretty easy to guess. After all, it’s not hard to learn the maiden name of a celebrity’s mother, the street where he or she was born, or the elementary school the celebrity attended. Someone did just that when he hacked into Sarah Palin’s Yahoo! Email account in 2008, just by using information found through common internet searches.
It’s easy to figure this out for ordinary, everyday people too, and that’s not even considering the proliferation of odd Facebook quizzes out there who want you to post the name of your first-grade teacher, or your childhood phone number. Add to this to the hacks of security questions themselves and you start to feel a lot less secure that this form of authentication is still around in 2019.
Despite the Problems…
It’s hard to give up on security questions. After all, when a user forgets a password, how else can you easily confirm someone’s identity?
Users seem to agree. 38% of US respondents to Experian’s 2019 Global Identity Fraud Report still name security questions as a top-three authentication method, just behind passwords.
Companies do too. The same report went on to state that passwords, PIN codes and security questions are the authentication controls most often implemented by companies across almost all regions of the world, including the US.
Beyond Security Questions – What’s Next?
Despite the inertia to move on from security questions, the National Institute of Standards & Technology (NIST) removed security questions from its list of recommended authentication techniques in 2017. Also, companies are exploring high-tech alternatives like biometric technologies and multimodal authentication. Still though, even now in 2019, Apple’s iCloud service still relies partially on security questions as an authentication method, even though they suggest that users change to a two-factor authentication method. For the record, while EPRIVO does ask for responses to security questions, this is only done as part of a two-factor authentication process.
What can we do in the meantime? The vulnerabilities inherent in security questions can be addressed in several ways:
- Lie. We don’t actually have to use our mother’s maiden name, or the actual street we grew up on when answering security questions. And, it might be better not to, or to even generate random combinations of letters and numbers instead.
- Make security questions harder to guess and/or research. Instead of asking for a mother’s maiden name or the name of our elementary school, the security question could ask for the last four digits of our passport number, the city where a best friend lives or for a childhood phone number.
- Add a unique, user-specific modifier to responses. Here, security questions can still ask for a pet’s name. However, when we post a response, we can add a personal code to the name, e.g., Tinkerbell25, or 25Tinkerbell, or even Tinker25bell.
- Freeze the account after multiple failed responses. After a set number of failed responses, the account locks and we would need to unlock it before gaining access again.
- Implement two-factor authentication. When available, always opt for two-factor authentication over single-factor methods.
Security questions exist to allow users to recover their accounts, and to keep the bad guys out. Without venturing into the territory of biometrics checks or physical tokens (which open up other vulnerabilities and inconveniences), they can still work. But, as always, proceed with caution. Simply put, security is still not perfect … even in 2019!
The Bottom Line
Security questions may have made sense in a world where much less of our identities was online. These days, with perhaps more of our lives online than off, it’s time to look toward new authentication methods. There will always be celebrities, and there will also be incentives for someone to hack into their private lives, but new technologies and the smarter use of current ones will minimize opportunities for would-be fraudsters and reduce their ability to succeed in their online exploits.
Download EPRIVO Encrypted Private Email App for free. EPRIVO works with your existing email address, and allows you to privatize old emails from any email account.