Password Security Questions Suck

My mothers maiden name was Sullivan, my first pet was named Snoopy, my fathers middle name was Joseph and I was born in Schenectady, NY. I can tell you because I would never use real answers in any so called security questions.  While it’s handy when forgetting your password it’s the easiest way to have your password reset and stolen.

Yes, companies still use these questions with answers that are publically available and having numbers, letters and special characters in your password won’t help you. Truth is programs that keep trying different word combinations are obsolete. Your password will most likely be incorrectly stored and stolen by someone you do business with or figured out using data in the password security or “challenge” question.

Remember when Sarah Palin’s Email was compromised? It wasn’t some brilliant hacker, it was someone who Google’d where Palin attended high school.

So are there really companies that still use predicable and lame questions? I won’t say who but the following were actually from a banking site.

And people wonder why I don’t list my birthday on Facebook?

The Results
So what typically happens when someone get your Email and password?
First it’s usually not personal. Once your Email is compromised it’s entered into an automated program. The program will log in and collect all the names and Email addresses from your contact list. It could be on AOL, GMail or Outlook; your address book is easy to access programmatically.

It won’t be long before the program breaks up your contacts and sends them all an Email with either a link to malware or something as benign as an advertisement for Viagra.  It could just be an ad because these guys could be earning a couple cents for every view. Since it’s all automated it could add up to thousands of Euro a month.

Two things will happen next. Half of your friends may contact you to let you know you’ve been hacked.  The other half will click the link and ask why you sent them to a Viagra site. You’ll be very surprised by how many people click on the link because it came from someone they trust.

Obviously, the first thing you’ll want to do is change your password. After that unplug from the internet and run scans from any security program you’ve ever installed on your computer.

You’ll be very embarrassed because the Email will go to people who you still have on your contact list but aren’t close friends. You may feel violated. Don’t be embarrassed. It can happen to anyone and it does. Just think about it the next time you provide answers for security questions. Come up with out of the ordinary answers that you’ll still remember.

Q: “Where were you born”?  A:”In bed”
Q: :What’s your mothers maiden name”?   A": “Miss”

And if one of your friends send you an Email with just a link, send them here to read BitsFromBill.com.

Epsilon lets its customers fix their security failure

Last week a serious failure in storing names and Email occurred due to a security flaw by a company name Epsilon. This may be the largest failure in protecting names and Email in my lifetime.  Epsilon is trying to downplay this failure by claiming it only lost 2% of its database

Even though you’ve never heard of Epsilon by now many of you have received letters from companies who use Epsilon to handle their mass Emailing. What we know to be compromised so far is only your name and Email but hackers will also know which companies you do business with.

So you should expect the following.

1) More Spam
2) More Phishing:
You should expect to see targeted Emails from companies affected by this failure. The Email will appear to come from your bank and they’ll know your name. As I often recommend, DO NOT CLICK on links found in an Email.  Go directly to the company web site and see if there is a problem.

Security researcher Brian Krebs has a partial list of companies affected which he has been updating daily.  Click here and scroll down.

So far, Epsilon has been quiet except for the small note above.  They’re letting their customers handle the brunt of this public relations nightmare.

So far I’ve received two Emails but I expect more.

So far I have not heard from TiVo, QFC or Marriot Rewards who have my Email and are all listed as affected clients.