Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Friday, February 08, 2013

Banking System Fails Due To Security Question

The biggest threat to your security may be the answers you’ve given to security questions. You could have the wackiest combination of characters in your password but it won't matter when someone can easily find out what high school you attended. 

If you’ve been paying attention to computer news you may have heard that the US Federal Reserve Bank was hacked. Details on over 400 bankers was stolen although the Fed won’t say what the “Details” are.
You may have also heard about the Bush family being one of the many hacked due to a flaw in Yahoo’s Email service. One flaw they have in common is an outdated method to reset your password.
This week I discovered one reason banks have failed to provide accurate security all the way up to the top.  It took me 3 minutes to find that Fed Chairman Ben Bernanke’s mother’s maiden name was “Friedman”.

I recently realized the company providing services to my small town bank is still living in the 70’s and probably still stores my information on magnetic tape reels programmed in COBOL According to its website Fidelity National Information Services or FIS is the world’s largest global provider dedicated to banking and payment technologies.

I’m a big fan of security questions but not when multiple sites use the same questions.  It’s especially scary when I see what must be the first security question ever used. Mothers Maiden Names?

Even if you can’t remember multiple passwords what I recommend is creating standard replies for common security questions.  Since most answers to security questions can be found on Facebook your answers to security questions should never be truthful.

What’s your favorite book? Your answer should not be The Bible, The Hobbit or 50 Shades of Grey.  It won’t be hard to remember, “Jokes for the John” or “Green Eggs and Ham”. Just associate your answer with a common theme.

Where did you go to High School? NEVER give your real school. The kids on Happy Days went to Jefferson High.  Use your own imagination and make up a high school name you’ll remember.

Where were you born? How about Taxicab or Seattle Grace?

The name of your first pet?  How about Dino? Even if your dog had a different name, don’t use Snoopy or Lassie as fake answers. They’re like using 12345 as a password.

Now that I’ve used these examples I wouldn’t use any of them but you’ll find it’s easy and fun to come up with fake answers. Create fun fake answers that are so funny, you’ll be sure to remember them.  And if they ask you for your mothers maiden name, go complain to your bank manager like I plan on do.

While I can’t say the recent Federal Reserve attack was due to a common security question the screen shot from my bank is real.  The number of hacks that begin with a simple security question is undeniable. As a security professional I’m embarrassed it took this long for me to write about this problem. Just ask Sarah Palin what high school she went to and you’ll be reminded this problem has been around for many years.

Update March 23, 2013: I neglected to mention one other important related tip. When asked for your birthdate always use another date you'll remember. Recently, it was revealed that anyone could obtain the password for an Apple account, like iTunes, by knowing a users Email & Birthdate.  The Verge, March 22, 2013

Share on Facebook


Anonymous Mitch Garvis said...

Hi Bill. As a fellow MVP I wanted to let you know that I enjoyed your article on security questions, and have written a short post linking to it from my blog that will go live on Tuesday. If you are going to be at MVP Summit I would love to meet you - look for the tall fat man from Canada :) -Mitch Garvis

9:17 PM  
Blogger Unknown said...

Sounds great. Glad you found the blog.

I'm flying in Sunday night and will be staying at the Hyatt. I'm attending mostly Security sessions but I'll look for you with the other Canadian delegration!

10:45 PM  
Blogger Unknown said...

This highlights the biggest problem.

Companies can spend lots of money on higher security but its no good if the person uses a secret answer that most people will be able to guess.

It's important to note that a lot of hacking is actually social engineering where people are tricked to give the information e.g. someone pretends to be someone else. Expensive software, services etc. simply can't prevent most human errors.

10:12 PM  
Anonymous Jim North said...

Hi Bill,

Your post re using fake security question answers was excellent--most people still don't realize the importance of keeping that info "unguessable."

I take the whole process one step further, and I think it would be pretty easy for anyone to do the same. My method involves remembering only a single password that gives me access to any of my hundreds of different internet accounts. That method is of course the use of a password manager. I use Password Safe (from Sourceforge), but there are several other good (and free) ones out there.

Password Safe has a random password generator feature that is fully configurable regarding number of characters, alpha-numerics, special characters, etc. That feature could also be used to generate fake answers to security questions, but I'm too lazy to reconfigure it to fit the different "what's allowed rules" for my various financial and other "sensitive" accounts.

So what I do (and it's worked on every one of my accounts for several years) is simply type random upper- and lower-case letters as security question answers. Thus my mother's maiden name might be JeujAlguieyskT, my high school might be PlsjgHje GanGjeuiCneghb, etc. I simply store each Q&A in Password Safe, and copy/paste as needed. (And of course I always type a new set of random letters for similar security questions across different accounts.)

Maybe all of this is overkill? For sure I can't be the only one doing this, yet I've not read about it on any of the several security blogs/forums I visit. Any thoughts/comments would be appreciated.


Jim in the Philippines

10:22 AM  
Anonymous gingerella7 said...

How can you be sure your Password Safe won't be hacked? I have heard of it, but don't have it yet because I didn't like the idea of having all my passwords available in one place where someone else might just hack into and have them ALL at once.

I assume I am being a dunderhead and there is some magic way that this is prevented... so please enlighten me... please.

6:21 PM  
Blogger Unknown said...

In the context of this article using password programs don't make a difference. You could have a password of ACBDE or GD6u^t3DRE and it won't matter if 1) the company is hacker and makes your password available or 2) you use simple security questions.
No matter what or where you store your password, if you don't use fake security questions someone could guess your answers and they'll be given your password no matter how cleaver it is.


11:48 PM  
Anonymous Ray Harasymiw said...

Crash after New Alerts--
Thanks for the quick fix. I installed the version of WP+. and all is s/b with the world again.

4:29 AM  
Blogger Unknown said...

Bill, another note on this: I have 2 computers, one vista and one xp. both are doing that crash things; seems pretty fishy to me!

2:16 PM  
Anonymous Anonymous said...

Hi Bill,

I love your Bits from Bill as so many people may not realize the simple obvious tidbits, that are so important. My nickels worth of advice (we don't have the penny in Canada anymore, so I have to round up) is that I NEVER answer these questions with the obvious, and truthful answer.

So... what's my mother's maiden name? Purple. Well, not really, but it's just a word matching game as far as the server is concerned. I never provide actual information to any of my security questions and I applaud you for nailing this one on the head as many people fail this, and no matter how secure your password it won't do much good if you use a back door answer that gives others simple access with minimal effort by answering a security question with an answer others may know.

So, as for keeping track, I use LastPass. It lets me keep track of passwords and log on with them, but in case something goes AWOL I can refer to the site and recall any of the notes I made about each individual site in the LastPass Notes section, such as my mother's maiden name.


4:08 AM  
Anonymous Jurriaan Nijkerk said...

Hello Bill,

THis is about the problem with Adobe and the Winpatrol Monitor.

We have systems with WXPSP3 and WVista. The problem occurs just on the Vista systems.

I suppose you know already, but it's better 'to have one more than to have one less.' ;-)


4:29 AM  
Anonymous Marie Counter said...

I am particularly annoyed already because my bank uses my date of birth plus 4 other numbers (too easy to rotate through them) as my customer number. This bypasses most of their security measures when telephoning. Thankyou for your very throught provoking article. It had already occurred to me my date of birth is too easy to find, but not things like pets names etc. I cme across your blog through BT Users Forum Marie Counter

4:58 AM  

Post a Comment

<< Home