 |
With so much information shared online, authentication questions can be trivial for attackers to bypass. |
What is your mother's maiden name? It seems like that
question has been used as secondary authentication to verify identity
since the dawn of time. Over time, the authentication questions have
become much more diverse. Sites now ask for things like what city you
went to high school in, or who was your favorite teacher, or what was
your first car.
The problem with most authentication questions, though, is that the
information can often be found with a simple Google search or two. Ten
years ago, or even five years ago it might have been much harder to
learn the answers to such obscure questions. But, in the current age of oversharing on social networks it's entirely possible all your intimate details are out there somewhere.
Have you ever participated in the Internet meme of answering a
series of questions about yourself and then passing the results on to a
group of friends? Many have. The purpose of the exercise is to share
more information and get to know people better, but the fallout is that
those questionnaires often target the same sort of semi-obscure
information that authentication questions ask for.
The real problem with authentication questions is that they can be
guessed or breached the same way a password can. An attacker may not
know who your favorite sports team is. But, given a few contextual clues
from your social networking profiles, conducting a search of your
tweets on Twitter, or simply trying different sports teams out until the
right one is discovered, the attacker can probably get past the
authentication questions.
Like a username, the authentication question might seem like it adds
a layer of security--and to some extent that's true. But, usernames are
easily guessed, and authentication questions are becoming increasingly
trivial to bypass thanks to social networking. The password should be
the toughest part of this equation, yet many people still use their
cat's name or "123456" despite years of security experts drilling about
choosing better passwords.
One solution that might help a little is to make up a fictitious
answer. For example, maybe you went to high school Omaha, and everyone
online knows you went to high school in Omaha. But, for the purposes of
your authentication security question you could change the answer to
"Metropolis" or "onion rings" and just keep that information to
yourself.
Some sites and services let you create your own custom
authentication questions. This can also be an opportunity to create
something unique that nobody but you would know the answer to. The
sillier you are with both the question and the answer, the less likely
it is that an attacker could guess it.
To protect your data from viruses, phishing attacks, and other
malware--whether its on your PC, smartphone, or tablet--you should have
some sort of cross-device security tool in place. But, when it comes to
preventing unauthorized access to information stored elsewhere, two-factor authentication provides better protection.
An attacker may be able to guess your username, Google the answers
to your authentication questions, and crack your password. But, if
access to your data also requires a unique PIN that can only be sent to
the mobile phone you have registered with the account for that purpose
it makes it much harder to get in.
No comments:
Post a Comment