If Your Security Question List Looks Like a Facebook Favorite List, Start Over Now
- by nlqip
My favorite color, by the way, is black. Or at least it will be until something darker comes along.
While marginally better than asking for personal information that is just as easily discovered on the web —your mother’s maiden name, where you were born (my mother claims it was in a barn based on my habit of leaving doors open as a child), what high school you graduated from—the fact remains that these questions are useless for verifying identity.
Seriously, how many colors are there? And how many of us share the same love of one of those limited choices?
The answers to these questions aren’t that hard to guess in case a quick search doesn’t turn them up. Because, while we’re great at sharing, we aren’t so great at managing admittedly confusing privacy settings on social media, and some things are a matter of public record. Check an obituary sometime. You’ll quickly find not only my maiden name, but my mother’s maiden name and the names of all my siblings and their children and… See, it’s not that hard to find information if you know where to look. A new upcoming breach trends research report by F5 Labs, studies data breaches over the past decade and concludes that “There have been so many breaches that attacker databases are enrichened to the point where they can impersonate an individual and answer secret questions to get direct access to accounts without ever having to work through the impacted party.”
It is also true that passwords are not enough. Credential stuffing1 is a real threat, and the upcoming F5 Labs breach trends report discovered that 33% of the breaches started with identity attacks, of which phishing was the primary root cause. Many of the malicious URLs clicked on, or malware files opened, in phishing attacks collect credentials, which are then sold and used to gain illicit access to corporate systems.
Security questions are used as a secondary source of identity verification. They simulate, albeit poorly, the second-factor in a multi-factor authentication (MFA) strategy. But they do so with stunning inadequacy. MFA is based on the premise that identity is established based on one thing you know and one thing you have. The latter should not also be a thing you know, because in the sharing economy, we share everything—whether we should or not.
MFA is a good idea. It’s not always convenient (we use it extensively at F5, so I say that as a user), but it is safer. And that’s the point. Because it’s really hard to duplicate a one-time password from an isolated key, but it’s pretty easy to figure out my pet’s name, thanks to Facebook, Twitter and others.
So, if your implementation of MFA uses Facebook favorite lists (or any other “security questions”) as a second form of authentication, you need to rethink your strategy.
Source link
lol
My favorite color, by the way, is black. Or at least it will be until something darker comes along. While marginally better than asking for personal information that is just as easily discovered on the web —your mother’s maiden name, where you were born (my mother claims it was in a barn based on my…
Recent Posts
- The 10 Hottest Semiconductor Startups Of 2024
- Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
- Healthcare Ransomware Attacks: How to Prevent and Respond Effectively | BlackFog
- Black Friday Versus The Bots
- Over 2,000 Palo Alto firewalls hacked using recently patched bugs