![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
What do memes and facebook have in common?
Nov. 5th, 2011 12:06 pmThis is something that occurs to me occasionally, but I don't think I've ever written about it before.
What do memes and facebook have in common? They can both be used to the benefit of identity thieves as a method of social engineering.
Security questions are now commonly used in addition to passwords or as triggers to unlock an account or email a new password, challenge questions. The security questions are repeated among systems and most often historical: First pet, high school mascot, etc. The challenge is to pick a questions that the real person won't forget, will not type differently ("The Trouble with Tribbles" is not "trouble with tribbles"), and won't be easily discovered. The first criteria is often best met with historical information. You don't ask "favorite band" because in two years when the question needs to be answered, the answer may have changed. In order to address the second criteria you need something definitive and short. Names and numbers work well for this. As the answer gets more complex, it's more likely that it will not be repeated by the legitimate user. Then we come to the third criteria. Security questions tend to skew old (first ... ) with the naive thought that anyone who encounters the legitimate user today won't have easy access to that old information.
Enter the information age, the Internet, memes and facebook. Facebook, by its very nature is a social engineering treasure trove. You get all kinds of school and location information together with relatives. If you start linking these items to journal entries, you can develop quite a lovely dossier on someone. I've seen memes that cover the vast majority of security questions, some subtly, some not. Do you remember the Porn Star Name meme? That gets a couple of ones that might not get covered on facebook: first pet, middle name, street you grew up on. Mother's maiden name? That is the classic key for credit card phone verification. But take a browse around facebook, find the relatives, find the mom, then look at her relatives. Done.
There are a lot more examples, but hopefully this gives you a little different perspective on innocent information. Information may be innocent, but often people are not.
A financial institution that I interact with forced me to set security questions. I looked at the questions and all of them were meme/facebook resolvable. There wasn't one that I could choose that wouldn't expose my account to attack based on reasonable research. What did I do? I answered randomly. I won't be able to use the challenge to reset my account, but neither will anyone else.
What do memes and facebook have in common? They can both be used to the benefit of identity thieves as a method of social engineering.
Security questions are now commonly used in addition to passwords or as triggers to unlock an account or email a new password, challenge questions. The security questions are repeated among systems and most often historical: First pet, high school mascot, etc. The challenge is to pick a questions that the real person won't forget, will not type differently ("The Trouble with Tribbles" is not "trouble with tribbles"), and won't be easily discovered. The first criteria is often best met with historical information. You don't ask "favorite band" because in two years when the question needs to be answered, the answer may have changed. In order to address the second criteria you need something definitive and short. Names and numbers work well for this. As the answer gets more complex, it's more likely that it will not be repeated by the legitimate user. Then we come to the third criteria. Security questions tend to skew old (first ... ) with the naive thought that anyone who encounters the legitimate user today won't have easy access to that old information.
Enter the information age, the Internet, memes and facebook. Facebook, by its very nature is a social engineering treasure trove. You get all kinds of school and location information together with relatives. If you start linking these items to journal entries, you can develop quite a lovely dossier on someone. I've seen memes that cover the vast majority of security questions, some subtly, some not. Do you remember the Porn Star Name meme? That gets a couple of ones that might not get covered on facebook: first pet, middle name, street you grew up on. Mother's maiden name? That is the classic key for credit card phone verification. But take a browse around facebook, find the relatives, find the mom, then look at her relatives. Done.
There are a lot more examples, but hopefully this gives you a little different perspective on innocent information. Information may be innocent, but often people are not.
A financial institution that I interact with forced me to set security questions. I looked at the questions and all of them were meme/facebook resolvable. There wasn't one that I could choose that wouldn't expose my account to attack based on reasonable research. What did I do? I answered randomly. I won't be able to use the challenge to reset my account, but neither will anyone else.
