The Hulk Was My Best Friend As A Kid: Advice on Answering Security Questions

Think twice before giving truthful answers to your online banking and services security questions. The answers can sometimes be easy to find online.

Photo by Hermes Rivera on Unsplash

Or was it Superman? Did my article title catch your attention? You might be wondering who my best friend was growing up or asking yourself why I am talking about this topic in the first place. It’s because information security still relies on answers to questions (like “Who was your best friend growing up?”), and this common practice may leave you vulnerable to someone compromising your account.

Purpose Behind Security Questions

Security questions provide another factor when logging in. The first factor is your username and password. The next is the answer to a security question. The hypothesis is you are the only one who should know the answer to these questions. You obtain access to your account with two or more successfully validated factors.

The development of this concept originated before social media was prevalent. In the 90s and early 2000s, people posted some information about themselves in blogs and chat rooms, but individuals were more private about what they disclosed. The birth of social media disrupted individuals’ privacy: the sites collected information, and individuals voluntarily told it too. Individuals started revealing answers to security questions inadvertently.

A Faulty Factor

Here is a hypothetical situation: someone tags a grade school teacher on a social media site. Both users have hundreds of followers, and one has posts public to the entire Internet. The first user tags the teacher on a post stating, “What an amazing teacher. My favorite.” Now the whole Internet can see the post declaring this teacher to be the first user’s favorite teacher.

It would not be difficult to deduce that the teacher is the user’s favorite grade school teacher. That teacher might have a profile on a job site or professional networking site, with a version of a resume listing all the job titles throughout the career. The social media site might contain the first user’s birthday or age. Someone can now correlate the user’s age with the teacher’s job title around the grade school age. The answer to “Who was your favorite teacher in grade school?” is known.

An Approach to Answering Security Questions

You may or may not have posted such information on your social media accounts, but your friends and acquaintances might have. Your information security is only as strong as your weakest link, and your social connections introduce probable weaknesses. Therefore, answering security questions differently than the actual answers might prove beneficial.

You can use a theme when answering all security questions. Most online accounts still use security questions that require a minimum of three to five answers. You provide all using the names of your favorite superheroes or flowers.

For example:

Q: What is the name of your favorite teacher?
A: Tullip

Q: What is the name of your favorite pet?
A: Dandelion

You could treat the answers as a password using a mix of characters for additional security.

For example:

Q: What is the name of your favorite teacher?
A: +ull1p

Q: What is the name of your favorite pet?
A: D@ndel10n

For even greater security, you can use a passphrase to make guessing more challenging.

For example:

Q: What is the name of your favorite teacher?
A: Purpl3 +ull1p

Q: What is the name of your favorite pet?
A: D@ndel10n Fuzz

You can build a lookup table of answers to security questions. The list of security questions is similar on all websites. You can find a list of common security questions on the Internet.

Conclusion

Someone can discover the answers to security questions using social media sites’ open-source intelligence (OSINT). You should not answer them truthfully and treat them as passwords.

Before you go

Here are other posts you might enjoy.

Originally published at Secjuice

--

--

Miguel A. Calles · Serverless CISO

Author of "Serverless Security" · Specializing in CMMC, SOC 2, serverless & engineering.