Password security questions are meant to add an additional layer of security to online account log ins, but with the advent of social media the answers to the most common password security questions are increasingly easy for others to answer.
The integrity of these website security questions is also damaged because many people have come to view them as more of a nuisance than an effective security measure.
According to Gartner Research, so called self-service challenge questions can save companies between $51 and $147 for each password reset question that is handled through the web rather than by a phone call.
While it might be saving companies money to do this, it is costing customers in the form of identity theft. It is easier for identity thieves to impersonate someone over the internet than it is even in a phone call, and customers who do not protect themselves are inviting these types of crimes.
Identity thieves can use stolen personal information for more than just financial fraud, too. A correct guess to just one computer security question can give thieves all of the information they need to pose as someone else in person at a hospital or even during a traffic stop.
The Most Common Security Questions
While it may seem like just an extra step to get to your account when you’re in a hurry, login security questions should not be taken lightly. When you answer these ten most common security questions one or two at a time, it’s easy to overlook just how simple the answers really are:
- What Is your favorite book?
- What is the name of the road you grew up on?
- What is your mother’s maiden name?
- What was the name of your first/current/favorite pet?
- What was the first company that you worked for?
- Where did you meet your spouse?
- Where did you go to high school/college?
- What is your favorite food?
- What city were you born in?
- Where is your favorite place to vacation?
Using questions like these, researchers at Microsoft and Carnegie Mellon (pdf) found that people with no knowledge of the person whose account they were hacking were able to guess the correct answer 15% of the time. Think about it; the majority of these questions are topics that are discussed on a first date and are common material for social network profiles and updates.
How Identity Thieves Get The Answers to Your Computer Security Questions
You might think that you’re safe from having your computer security questions guessed if you limited the privacy setting of your social network updates to friends only, but did you also limit your profile information? ID Analytics and Harris Interactive found that over 70 million adults publicly share their birthplace on their social network profiles.
Going even deeper, a 2010 survey by ID Analytics found that almost 20 million Americans have revealed the names of their pets on social networks. But you wouldn’t share the answers to all of your security questions, right? Even if there are multiple security questions for a single log in, a determined identity thief could do the following:
- Find the answer to “where did you go to high school/college?” on your LinkedIn
- Guess the answer to “what is your favorite food?” by viewing your Twitter feed
- Look up the answer to “what is the name of the road you grew up on?” using a public records search – or find it on a forum or social network from an update you made about the Soap Opera Name Game, which would also reveal the name of your first pet.
With this information, identity thieves can unlock your account on virtually any website, from your social network to your online banking. Not only can criminals with this type of access drain your bank account and ruin your credit history, but they can also pose as you in person. Consider the following true stories:
- Malcolm Byrd was arrested repeatedly and fired from his job after a drug dealing criminal posed as him during an arrest.
- Anndorie Sachs was accused of giving birth to a child addicted to methamphetamine – two years after the birth of her last child.
- Besouro Abdul Zagon was able to enter the U.S. using the identity of Donald Benjamin to obtain a passport, then obtained federal aid for himself and his family as well as citizenship for his children, who were born in Antigua.
To protect yourself, always choose the most difficult security questions offered. Avoid sharing the answers to these questions publicly, and think about masking your profile information on social networks.
Finally, consider choosing a fake answer to your security questions. An answer that is not true will be that much harder for someone else to guess, but make sure that you can remember it so that you are not locked out of your account.