Spyware, Viruses, & Security forum

General discussion

Am I only the one who has concerns over those "security questions" on Web sites?

by Lee Koo (ADMIN) CNET staff/forum admin / July 6, 2012 9:32 AM PDT
Question:

Am I only the one who has concerns over those "security questions" on
Web sites?


Hello everyone. As I'm doing more and more things online, the one
thing that I've come to really hate are those "security questions."
The idea that there could be questions that are easy for me to
remember but impossible for others to research in itself is absurd,
but many Web sites insist that I must answer these questions. This is a
big problem for me:
- The questions themselves are an invasion of privacy.
- If I were to answer honestly, that would be a huge security risk,
since it is not so hard to find out the answers with a little bit of
research.
- If I make up bogus answers, I have to write them down somewhere,
which is a huge inconvenience and also a security risk in itself.
For awhile I have attempted to boycott sites that use security
questions, but this practice has become so pervasive that it seems
no longer possible to do so. How do other members deal with this?
What's the legal status? These questions are such a big security risk,
I feel certain that there must already be cases where accounts have
been compromised. Have companies been held accountable? Are there
any signs that this practice will soon come to an end?

Best regards,

-- Submitted by Gernot G.
Post a reply
Discussion is locked
You are posting a reply to: Am I only the one who has concerns over those "security questions" on Web sites?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Am I only the one who has concerns over those "security questions" on Web sites?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Well, I think
by MarkFlax Forum moderator / July 6, 2012 11:04 PM PDT

we are stuck between a rock and a hard place.

We can refuse to use such sites if we wish to avoid having to answer security questions and go elsewhere, but if we really need to use such a web site then we must abide by their processes. There is no way around it.

I 'do' use false questions/answers and have done for some time now. Yes it is a pain having to write them down, but I accept that.

As to the reason for the questions themselves, we only have to look at the breaches and vulnerabilities to see why even more security measures are required.

Mark

Collapse -
I agree
by hawkhuff / July 20, 2012 10:37 PM PDT
In reply to: Well, I think

I really don't mind if there are layers of security questions on sites that are important and/or are used frequently.

And I do agree if the site asks any personal questions you lie, lie, lie. We have this power over our personal information. In fact, it's one of the few things that we do given the ever increasing invasive society in which we live. Very soon anyone will be able to see your personal medical information and history. How scary is that? We live in dangerous times and it is up to each individual to guard our information to the utmost extent possible. No one will do it for us.

The only hitch is you must then store that information somewhere so you can 'recall' those lies at a later time. How you do that should also be guarded.

Collapse -
Here's What I Do.... (NEVER use your real info)
by webserf / July 23, 2012 2:11 AM PDT
In reply to: Well, I think

ALWAYS write your own questions if you can but NEVER give any real information. Use "code" or or answers that are so obscure or wrong that no one would or could guess them for example(s)...

What is your favorite month of the year?
ANSWER: "Chocolate"
What is your favorite Day of the week?
ANSWER: "Someday"
What is your favorite color?
ANSWER: "Blanket"

Remember, when you write your own questions, the "system" allows most any number or syntax as your "answer".

But, if you HAVE to use their set questions, you might be limited in what kind of answers you ca use, for example, if a question asks what year you graduated, you might not be able to put a arbitrary answer in there, for example, letters.
Here are some examples of how I might set up "security" questions/answers on a website..

What was the name of your favorite Teacher in grade school?
ANSWER: "Ms. Nobody"
What is your mother's maiden name?
ANSWER: Noneofyourbusiness
What street did you grow up on?
ANSWER: NoStreet (or anything BUT your real street)
What high school did you graduate from?
ANSWER: NoSchool High
What is your pet's name?
ANSWER: My Pet
What year did you graduate?
ANSWER: 1800

Also remember to have some consistency in whether you CAPITALIZE the first letter of your answers because this is a factor with some systems, so find a "system" or "code" that works for you.
Finally:,
The Key is to remember the answers, code, and/or methods you set up for your questions/answers and use answers that are so out there, that no one would/could guess them and never, ever give your real information when it's not truly necessary..

Collapse -
I also have strange security Ques.
by Darrell / July 30, 2012 7:31 AM PDT
And I usaully write the answers down someplace secure, like I have my father's middle name and my answer would be my mother's middle name. I like webserf's idea!!
Collapse -
With Last Pass...
by JCitizen / July 30, 2012 10:08 AM PDT

you can easily make profiles to fill generic questions like that, and make them completely fake. LastPass will encrypt the information for you, so even if you use the real name, at least a keylogger can't detect it, and what is in the hard drive is encrypted for your safety.

Collapse -
I completely agree
by Bob2399 / August 4, 2012 4:50 PM PDT

I totally agree with you. Because I have put my family history on line in a few places, my mum's maiden name is in the public domain - well most of our personal information is available out there. I put easy to remember but non factual names for all of these things

Collapse -
security questions on some websites
by Fiona_jonas / August 7, 2012 6:53 PM PDT
In reply to: Well, I think

Yes, that's what I would like to state. I will refuse to answer security questions

Collapse -
They are annoying

But so is landing on an old out of date page, bot responses & having to join to buy. If enough people complain it may go away.

Unless I really want to be on that site, I won't get into having to jump through hoops, dumb 'capchas' & security questions.
There are plenty more places out there to explore.

Collapse -
really
by gbswales1 / July 20, 2012 3:55 PM PDT
In reply to: They are annoying

do you spend a lot of time browsing sites that you dont want to be on for some reason or another. The counter argument to what you say is that maybe you spend too much time visiting sites that do not protect you. The one however that does annoy me is forum sites where I really dont see the security as so necessary. OK someone could post using your name but since it is easy enough to set up an account with anyones name anyway - it seems a litle pointless. Catchpa's are becoming necessary simply because the spammers take over anywhere that doesnt have them. However there are good and bad of these- I have seen some which ask you do a simple sum or quote the next letter in sequence and the like - this are great but some of the ones with jumbled distorted characters often take several attempt so get them right.

Collapse -
What I use is....

...a form fill program. Which is again, admittedly, another security risk but I think we can get so caught up in the paranoia of the whole thing that it destroys our enjoyment of using the net. I use a program called Lastpass (there are others) but it has a memory mode where it copies your answers on a form and encrypts them. Then when you want to sign back on to the site in question, just tell it to fill the form and it does complete with any fictitious info you entered on that site originally. The encryption is done on your computer so (supposedly) nothing raw is going out on your router....which is itself encrypted. You only have to remember one password to get into your "Vault" so it simplifies things and if you change that password often (I do) then I think you would be about as safe as possible.I was a cop for 30 years and I can tell you there is no such thing as complete security. No way, no where, no how.

Collapse -
Security Questions

The "Answer" to a security question does NOT have to be "Correct." Nor does it even have to relate to the question. In fact you can even use the SAME ANSWER to all security questions. Something like "What is your mother's maiden name?" Answer = "Grapefruit." Or "What was your first pet's name?" Answer = "Grapefruit." Get the idea? All it has to do is match what you put down for the answer. You could even use a number in place of a word. So quit worrying about privacy and move on. LOL....unless you really DID have a mother who's family name was grapefruit and you named your first pet after her....!!

Collapse -
Not Necessarily with Banks
by AnthonyNYC / July 7, 2012 2:18 PM PDT
In reply to: Security Questions

I like the advise everyone here has given about using ficticous answers for security questions but the web sites that I see this used the most are Banking web sites.
And when they ask what is your Mother's Maiden name, I don't think you can write grapefruit because they have that info already from forms you filled out years ago.
And I would be worried about having them compare the info with data they have on file for you and deny me access thinking that I am NOT really myself.

BUT in general, yes! I like the idea of giving false answers like that! Great suggestion, I can't believe I didn't think of it first? LOL
What I usually do is chose a question that nobody knows the answer to, like the name of my first pet. It could be a turtle you had as a 12 year old, who could research that info? There was no facebook back then, Thank God. You get the idea, but making up answers is even better, as long as you remember the answer. A form filler program is a good idea for doing that also.
Thanks, I agree more security is needed online, sending a code to a cell phone or e-mail seems pretty good idea to me rather than using security questions in general.

Collapse -
Works with banks also
by Triadguy / July 7, 2012 10:56 PM PDT

Giving incorrect answers to banks works also. Have been doing it for years. No one at the bank is going to look to see if your answer is correct - hell they don't even check signatures on checks anymore.

It s just one of the ways they use to try and protect your info and cover their butts.

I provide false answers but not alsways the same one. If they ask for my Mother's name I give them my Great-Grandmother's maiden name (not easily found). If they ask for my first car I reply with the first car I totalled (had a wild youth).

Collapse -
So let me get this straight
by AnthonyNYC / July 8, 2012 7:11 AM PDT
In reply to: Works with banks also

Hi Triadguy,
My Bank has my mother's Maiden name on file because I filled out a Bank application years ago and it was one of the questions on the paper form. This was a long time ago before that Bank even had online banking. So what you are saying then is that when asked online from that same bank my Mother's Maiden name, I can make something up and it doesn't get compared to the data they already have on file for you from the original banking records from when you opened the account?

How are you so sure about this? I know sometimes Banks cash checks with missing signatures and stuff so people assume they don't really check things well but now, it's more machines doing the scanning of checks and computers matching bank records so I would think catching this mis-match would be pretty easy for a bank.
Plus Banks share your info with the 3 credit unions and they usually have your mother's maiden name on file to help identify you, so having a Bank send info about you to the credit union with an incorrect Mother's Maiden name can get messy and you may end up having multiple credit files.

If you work for a Bank and know for a fact that the answer to the maiden name question isn't checked against actual data on file for you thru credit unions etc... but only against the answer you put online when setting up online banking then I might feel more comfortable giving my bank a false answer to that question.

I just avoid chosing that question on a site that also offers other options because I know I already gave the correct answer to my Bank years ago. So I would want other sites also storing that answer in their systems. Thanks for the input.
Happy

Collapse -
In General
by Hforman / July 12, 2012 1:26 PM PDT

With some websites, if you forget a password, you can click on "Forgot Password?" and then put in your email address and they will actually email you the password. This is terrible because the email isn't encrypted (suppose you have a fellow employee checking your email while you are on vacation, or someone has hacked into the email somewhere). Also, that means the employees at the offices of the web site can read your password. In other words, the password is stored in plain text.

Most high-security organizations like banks, have to conform to Federal standards at a minimum. In my bank and many other sites I use, the password AND the security question answers are encrypted so the employees cannot see these. I doubt seriously that they can compare the answers even if they wanted to. Why do they ask you for your mother's maiden name? Is it really something important to your account? It usually is just for security. Before online banking, it would be used for when you called up about your account (customer service: need more checks? Need a higher limit on your credi card? Checking balance?).

Why don't they see what your answers are? Because, even with checking out employees, it is easy to pick up one with financial troubles .... As working in the area of security for a county government, we had to send a list of social security numbers to a mobile provider for more information. We had to do one-way (SHA1) encryption. That is, nobody can decrypt the encrypted form. So, how do they check out one-way encrypted data? They take all the information they have on file and encrypt that data. Then they compare the item you are looking at in its encrypted form with their files looking for a match. That way, nobody sees the actual data.

I think that this is probably what companies use for either your security answers or the password. When you tell them you forgot your password, they don't send it to you but they send you a LINK to a page that will ask questions to verify your identity and then they allow you to reset your password.

But, how do you know what the security method is at your bank? Two ways: Look it up on their website either in Terms of Service or a security link. Otherwise, you can simply call them on their customer service and ask. Your bank shouldn't lie to you.

Collapse -
They send you a temporary Password.
by bigbear639 / July 20, 2012 2:53 PM PDT
In reply to: In General

They send it and after you sign in you can change it to a new one or if you remember the old one after all use it again. Some sites will not allow using the last 3 passwords over again, but you can change it to caps or ad something ifo or after the old password. As for Mothers maiden name what if you don[t know it or were adopted as an orphan. My Bank never asked for maiden name when I filled out an application before they used computers. They might require you to show some form of identification, or they gave you one to use at all their Branches.

Collapse -
You May be Right
by 2dogday / July 20, 2012 4:06 PM PDT

AnthonyNYC may be correct about banks checking signitures on checks. I wrote a check once, when I changed the first letter of my first name from a cursive letter to a print letter--this was only on my first name, and only on the first letter! The check was returned to me to verify that it was not forged. I was stunned. I don't know how they do it, but they must have some sort of machine that verifies them.

Collapse -
checking on your answers
by sailor4556 / July 24, 2012 11:35 AM PDT

I believe that the answers you put in the form are not unscrambled when you sent it in... like a password I think the system knows the answers but the people do not... any insite on this thought?

Collapse -
Agree
by Hforman / July 25, 2012 2:39 PM PDT

As I said before, when you click on "Forgot Password?" some sites will just ask for your email address and, if it matches what is on file, they will email you something. When you forget your password, each site has different means to get you going again. Banks usually have the HIGHEST security as they are governed by the feds. In most cases, they will NEVER be able to send you your password because they can't read it at all. They can only send you a link that will get you onto the site so you can change your password. Usually, you will be using an SSL link (encrypted) to type in your password. If you forgot your password, then you will have to answer security questions. Some are of the type that everyone is commenting on, others may be date of birth, SSN (whole or part) and maybe something else that they have on file. After this, they will mail you a link (not necessarily a temporary password) that will allow you to get in and put in a new password.

Some extra security my bank has are alerts. You can get these by email, SMS or both. These will tell you when your password has been replaced and even if there was a change in your security answers. The idea being, if someone did manage to hack your login, you will find out and call the bank or the bank may even call you if something suspicious is going on. You can try to call them but you won't be able to get them to tell you the security questions nor answers. As you've said, these are all probably sent encrypted (SSL) and are probably kept encrypted (SHA-1?). There is no need for anyone at the bank to know your password nor the answers to security questions. They can ask you questions, including a security question (or two) and they they type in the answer you gave them. This is then encrypted and the encrpted answer is compared to the stored encrpted answer. If they match, you are who you say you are. What scares me are these other sites where you click on Forgot Password and they actually send you your password. In clear text no less! What you usually find is that these sites do not have any "regulations" like banks have and there usually is no real need for extra securtiy by the nature of the site.

An interesting thing users might want to check is if there is anything devastating that a hacker can do if they DO somehow get into your account. People should take a look. For example, someone could move money between my accounts. Big deal. There are a few things that I don't use that might be a big deal, such as "bill pay" or "transfer money to another bank customer". Thats where you just have to hope that the bank has other ways to protect those operations such as sending you an email with a link for confirmation or other means to catch suspicious activity.

Collapse -
Security Questions and Passwords are NEVER viewed by admin
by theanimaster / July 20, 2012 12:56 PM PDT
In reply to: Works with banks also

Security questions and passwords are NEVER known to admin. There's a little disclaimer that should say this. Otherwise if they are, then I WOULD seriously be concerned!

The reason for these security questions is so that YOU can unlock your account when you forget your password. You and ONLY you. Not even an admin would be able to unlock your account -- unless those fallbacks were put into place, but even these 'fallbacks' don't make use of your security question or passwords -- they're all done by the computer, no human input needed.

Let me try to explain that another way.

When you submit your security question, no one sees this. Not even the admin of the website. They're stored in a (hopefully encrypted) database. So if you forget BOTH your password and security question, not even the (human) admin can unlock it. They just can't SEE your password etc -- if it's encrypted.

Now, IF they're Unencrypted -- which we can't tell for sure unless we email the site owner and ask (and take their word for it) -- THEN they might be able to actually see your answers. But I think there are laws stating that information like this should be encrypted or at least sent encrypted. Not too sure about this, but I know there were some websites that got into trouble for storing their user data in unencrypted form.

Now what is encrypted and unencrypted form? That's a long explanation and involves keys etc. etc. but here's the SIMPLE explanation (again, it's much more than just this): Encrypted answers would look like this: ************** and non-encrypted answers will spell out your password as it is. This is why the admin simply do not see your answers.

So for banking sites, when you fill out a WEB FORM, and banking sites I'm SURE ARE REQUIRED to send and store your info in encrypted form (else they can be sued!) the admin will NEVER be able to see your answers. NEVER. It's encrypted, and only a computer with a 'key' can unencrypt it, and by law only you have the authority to do this.

Collapse -
@theanimaster ... you trust banks, etc., far too much!
by CKinVA / July 23, 2012 7:33 AM PDT

There are many commercial sites (I'm sure including some banks) that have old systems that do not have sensitive data encrypted (i.e.: passwords much less responses to the associated security questions). Banking regulations are consistantly ignored and/or the software implementation has quite possibly been delayed or is flawed.

I have been in the IT industry for 40+ years and know of many (old & new) systems that are flawed in both data storage (i.e.: lack of encryption) and in website security (i.e.: poor sql injection defenses). And then there is always the #1 problem ... human error!

Never ever ASSUME something on the web (or in any database) is secure. Even extreamly "secure" sites like US military, Iranian nuclear software, etc, have all been hacked/compromised.

Collapse -
My experience
by Draeconix / July 20, 2012 2:45 PM PDT
In reply to: Works with banks also

I tend to give false answers. It is usually a phrase rather than a one word answer and contains a number. I treat the security question answer a lot like a password so the more complex I can make it the harder it is to guess. So I guess you could give them the real information but instead of saying "Grapefruit" as above say "My mother's maiden name was Grapefruit." assuming Grapefruit was her real name. A long answer to remember but not that hard either. There is talk of making your passwords a pass phrase too. We haven't got there yet but I am sure someone is using it for highly sensitive information. You could also go and create a complex password with numbers, letters, symbols, etc. and use that as your answer.

My biggest annoyance is when the website asks for 2 or 3 security questions and I need 2 or 3 different answers. I have only found one or two websites like that and they were both financial sites. Speaking of financial sites, there was one I use that asked the security questions and I HAD to give them the correct information but 99% of all the websites that use security questions don't care what your response is, just as long as it matches when you go to use them.

Collapse -
Questions too conventional
by saunj227 / August 4, 2012 10:51 AM PDT
In reply to: My experience

I don't know how the answers could be checked anyway,
I have been given a choice of 7 questions and none applied to me: My parents are long gone, so why should I remember their birthdays, and they never told me where they were born. I have no nethews r nieces. I never had a pet. I grew up in the UK, so I did nit go to high school. I was born in one of those English towns with a weird hyphenated name that can be written several ways, etc.
So I have to make up answers anyway. It's annoying.

Collapse -
Pretty freakin' funny
by Ed.E / July 20, 2012 12:24 PM PDT
In reply to: Security Questions

Of course this was great advice, but the 'grapefruit' thing; I was cracking up for for hours. Thanks for the comic relief.

Collapse -
Security Question
by mjrehg / July 20, 2012 1:51 PM PDT
In reply to: Security Questions

I agree, and always use the same answer for any "security" question, but sometimes the website recognizes that you have used the same answer for all 3 questions, and I have not found a way to get around that.

Collapse -
Not necessarily false answers.
by melvin_m / July 20, 2012 1:56 PM PDT
In reply to: Security Questions

My favourite is Father's Middle Name = "Not applicable" (he didn't have a middle name) or friend's name or pet's name = "I forget"

Collapse -
Hacker's Dream : Grapefruit
by Mysterystevenson / July 22, 2012 2:21 AM PDT
In reply to: Security Questions
Grapefruit, just Grapefruit.
That is the #1 answer on cnet for security questions. 20 thumbs up.
Grapefruit.
Collapse -
I lie

Early on, I noticed that some of the questions were vague enough that I could have more than one legitimate answer. That was before I started to question whether it was a good idea to entrust those answers to sites I didn't know. For the most part, I am not overly concerned about larger, more well-known sites, but one never knows how well information is protected on any site. That's one reason why I lie. I've found it's best to have a consistent lie, so it's something that's easily remembered without resorting to writing down the answer. Generally, you will find that there are several questions that appear on every site.

However, if you do feel you need to write down the answer, try instead to write down a hint about the answer, or at least don't include the question. Leave enough info that you know what the information you've written means, but nobody else does.

Collapse -
security questions: Strong password is a good start

Hi,


You're right: Leaving personal information on the internet (family, work, school, place of birth, etc.) IS a huge security risk. AND, you are often asked to provide your full postal address, for example: eBay, PayPal, eBanks, eCommerce, etc.!

I find that the best protection is a STRONG password (not 'rover' or 'password'!), but a MIX of numbers, letters AND punctuation (which is often not accepted!). That's your first line of defence. Then, be careful where you leave your real postal address.

Hope that helps

Collapse -
It's even harder to avoid these now

About a year ago financial institution regulators made the security requirements much tighter for Internet Banking sites that allow "high risk" transactions like bill pay and account to account transfers, like from your checking to Fidelity to make an IRA deposit. The questions now must be much more personally oriented, making them much harder for hackers to guess and that you are unlikely to see repeated. You may not be seeing these just yet, butt that's because it takes a while to get these changes implemented.

Bill

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Smartphone tip

Hoarding photos on your phone?

Those picture are hogging memory and could be slowing down your phone.