 antdudeA Ninja AntPremium,VIP
join:2001-03-25
United State
kudos:4 | Secret Security Questions Are a Joke »it.slashdot.org/story/12/08/09/1···e-a-joke |
|
| Security questions are like leaving your back door unlocked, just incase you lose the key to the front door. |
|
| reply to antdude
said by »it.slashdot.org/story/12/08/09/1···e-a-joke :
"...But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you."
As per: "Part of the problem is that a good security question is hard to design" - IMHO the real problem is not the question, but the answer to which most are trained to answer truly.
Most either assume or feel required to give the correct and honest answer to these questions - as if there is some way for an authority to validate those answers legally somewhere down the road if challenged.
There is no authority that presently can/will validate true answers to these questions (SSI nor DMV nor Birth Certificates, nor issuing banks that use them) if so challenged - but many/most people feel compelled to give the correct answers as if that may be true.
The solution is that individuals need to use alternative answers only known to them. Of course one needs to remember these answers, but consistently done it's just as easy as using the true, honest answer - but far, far more secure This is what I have always done and teach others to do also.
Ex: What's your mother's maiden name? - Use your pets name, or use your middle name, or your grandmother's middle name or use something random - as long as you can remember what that is (consistency helps), and most importantly that only you know what your alternative answer is.
-Jim |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6
 ·RoadRunner Cable
 ·Clearwire Wireless
| said by JALevinworth :Ex: What's your mother's maiden name? - Use your pets name, ...
Absolutely.
Mix it up & keep'em guessing.
I'll frequently borrow a pet's name when it comes to online verifications.
My user name on this site is actually one of my cats names.  |
|
| reply to antdude
my thinking is that the problem with "security questions" is that they are less secure than passwords since, a lot of times, the security questions ask you for personal information that can be dug up, like "what street did you live on when you were a child?" "what is your mother's maiden name?".. so, i use bogus information for those types of security questions..
one time, when i had a problem with my yahoo account, instead of giving me security questions to answer, they told me to tell them what the security questions were, as well as the answers.. i couldn't tell them what the security questions were but said that if they would tell me what the security questions were then i would provide the answers, but they refused to tell me what the security questions were.. uhg! |
|
 CylonRedPremium,MVM
join:2000-07-06
Bloom County | reply to JALevinworth
Problem is remembering what was used - that is why people answer them 'honestly' and truthfully. Many have to use the questions to begin with that by the time it is needed - people do not remember the one they used.
I have this issue with my birthplace - once I used the city my family lived in when I was born instead of the city name in the hospital (where I really was born). I continually locked myself out of the website because I could not remember which one I used. I figured the one I switched to would be easier to remember - I was wrong.
--
Brian
"It drops into your stomach like a Abrams's tank.... driven by Rosanne Barr..." A. Bourdain |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to redwolfe_98
said by redwolfe_98:one time, when i had a problem with my yahoo account, instead of giving me security questions to answer, they told me to tell them what the security questions were, as well as the answers..
The 'what are your questions' challenge was an easy way to harden a weak verification routine with data that was already there.
I had the same problem with not knowing the questions because it wasn't necessary to remember them when they were set.
I don't know of any service provider that adopted this extra challenge that actually informed it's users of the change. |
|
 EGeezerGo CatsPremium
join:2002-08-04
Midwest
kudos:8 | What's even more fun is when the site security admins expect you to remember not only the answer to the security question you provided, but the question itself.
I had a particular law enforcement site that required me to call in to to replace an expired password. the admin asked me "What is your security question and answer?"
That one took a little time but I finally guessed the right question, and provided the right answer. |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | reply to antdude
I say Bullshit..and what the individual wrote in your link does not even come close to any lessons to be learned from Mat's problem...it should really read..Apple Security is a Joke..and always was..and even their employees you talk to have no real sense of Security or caution..they just each make up their own rules and need more training. 
Even my cat agrees..
»www.newsbiscuit.com/2012/06/08/c···a-digit/ |
|
| reply to CylonRed
said by CylonRed:Problem is remembering what was used - that is why people answer them 'honestly' and truthfully. Many have to use the questions to begin with that by the time it is needed - people do not remember the one they used.
I totally agree that it's easy to forget, and that's why consistency is key to remembering what these alternative answers are. That way when you do have to use the reminder it's not that hard to remember the alternative set - Far less hard than remembering passwords which always should be unique and not consistent.
Even more secure is mixing them up, as Snowy suggests too, but still using consistent alternate answers is still a far better system to have something else, anything else, than data that can be found elsewhere such as public records or even through social engineering.
-Jim |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to antdude
This is what really happened in Mat's own words and I think it is stupid all these other writers out there on the net and their blogs just post crap they think is important..but not really relevant..working on the heals of the tragedy he faced.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
I spent an hour and a half talking to AppleCare. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn’t answer the security questions it had on file for me. It turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line said “Mr. Herman, I….”
“Wait. What did you call me?”
“Mr. Herman?”
“My name is Honan.”
Apple had been looking at the wrong account all along. Because of that, I couldn’t answer my security questions. And because of that, it asked me an alternate set of questions that it said would let tech support let me into my .Me account: a billing address and the last four digits of my credit card. (Of course, when I gave them those, it was no use, because tech support had misheard my last name.)
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.
We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
| said by Name Game:This is what really happened in Mat's own words and I think it is stupid all these other writers out there on the net and their blogs just post crap they think is important..but not really relevant..working on the heals of the tragedy he faced.
The article antdude posted preferences that even though Apple failed to ask the security question, even if they had - security questions are a weak link too.
A security discussion based on that notion is not valid to you?
This thread isn't about Matt, but in Matt's situation, although a bit hyperbole to call it a "tragedy", had many lessons that can be learned from - both institutionally and personally. The system is broken and all discussions related to the system should to be had, not stifled, whether related to Matt specifically and directly or not. You don't have to agree, just saying.
-Jim |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
2 edits | |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to antdude
|
|
Reviews:
·Comcast
| reply to antdude
My take on this is mirrored in other's answers.
I happen to like the questions.
But no one is going to know the High School I graduated from, nor the first street name, first pet name and so on.
I pull some information from over 150 years ago, some is from imaginary cities or cities I would like to live in and such other ilk.
For me it is consistent, but not sure how someone could deduce it from any public records. Not even friends know cities I would like to live in. When bored, use Google Maps to visit these places.
For a pet's name, sometime will give best friend's from high school dogs name. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | Gee, high school must have been recently if you remember your best friend's dog's name! I haven't the vaguest idea what my best friend's horse's name was (I don't think she had a dog). I've never had a security question ask me my first pet's name...who remembers that? You were probably maybe four years old and back then pets tended to not live very long...I had three or four before the dog that lived to be almost 20 and I don't recall the names of any of the earlier ones. Plus, I had about ten cats...it's a dumb question.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
| reply to Name Game
said by Name Game:If they were asked, the perpetrator could not have answered them.. it would have end there...they were not weak..what gave you that opinion ? Do you know the questions he had ?
I never said the questions Apple didn't ask could or couldn't have been answered. I am not talking about Apple at all.
Again, this thread isn't about Apple and Matt, this thread is an discussion about how week security questions are - Not Matt's nor Apples. Check the title (I am honestly questioning you didn't make a wrong turn to this thread from the Apple/Matt one). |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?
And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.
Apple, like Microsoft when they started, cared bugger all for Security and so now at this midnight hour they start to put safe guard in place and it is too late.. it is not working, it is confessing their users and owners of their products...and their is more problems with even the owners getting locked out of their own account as they play the catch up game that Apple is playing. I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.
_________________________________________________
Interesting to note one of the other people at the link antdude posted claimed..
by Cinder6 (894572) on Thursday August 09, @12:05PM (#40932671)
Hell I did it with Blizzard for what, $30 and I got a plush toy.
This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Battle.net Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.
»Blizzard Says Battle.Net Has Been Hacked
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
| reply to hortnut
Did the same except also used the slang name for the neighborhood. Which is on no map.
Daughter used to make up words when small. I've also used her made up vocabulary - would you know a what a word like catpiss or joppy referred to? Some were just mispronunciations.
Even the vet has trouble with our cats' names. Always has.
I can also remember instances from age 2. |
|
 rcdaileyDragoonflyPremium
join:2005-03-29
Rialto, CA | reply to Raphion
I think they are more like hiding a key in a glass jar under the bushes next to the back door.
--
It is easier for a camel to put on a bikini than an old man to thread a needle. |
|
