Security Question: What’s your mother’s maiden name?
Those security questions are a convenience for you, and an opportunity for the bad guy.
OSINT: (noun) Open-source intelligence (OSINT) is a multi-methods (qualitative, quantitative) methodology for collecting, analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources).
That is what a hacker will use if they want to find out information about you. If your information was found in a data breach, this is a cookie. Hackers are hungry and want more than just a little cookie, so they go hunting… for more cookies.
So in a data breach, they have your name and email address. Maybe a little bit more, maybe not. But still, they have something to work with. Maybe they know your credit card number but don’t know enough to use it to make purchases. They see your card belongs to Bank “X” and maybe you used the same email address as the one in this other data breach.
See where I’m going?
Hacker visits Bank “X” and enters your email address, then clicks Forget/Reset password. It asks some information like… what’s your mother’s maiden name? Who’s your best friend’s name? Pet’s name?
A hacker will employe OSINT methods and go on a hunting expedition. The goal of the hunt is to find that info!
If I want to know your mother’s maiden name, I’ll likely visit Facebook. Your pet’s name? Check out your Instagram page. Many people don’t realize how much they’re really giving up to social media.
They research this, come back to the bank’s website and enter your mother’s maiden name, since they found it on a social media site. Site replies back, okay that’s correct: Enter a new password!
Guess what? They now have access to your account and will drain your funds. Next, they’ve changed your password to lock you out to attempt to fix it.
Fun times for a hacker, and nightmare fuel for you.
So, those security questions… there’s no rule that says you have to actually enter the right answer. Mother’s maiden name? How about her name plus the year you or she were born? Instead of “Smith”, how about “Smith1944”? Pet’s name? How about the name of your street.
Those security questions are there for your convenience, but they also can be a detriment to your security, especially if the security questions are cookie cutter like your mother’s maiden name, street you grew up on, etc. All of these could be easily found by employing OSINT.
Out-smart the bad guys by doing little things like… adding something something else to the answer. Maybe not the birth year after their name, but maybe your initials “SmithABC” for your mother’s maiden name or pet’s name. Something that only YOU would know to do for those questions.
The key is to remain consistent. Don’t do it for one website and not others or else you’re going to confuse yourself and lock yourself out of an account, one day, and become a pain to regain access.