Spyware, viruses, & security forum: Am I only the one who has concerns over those "security questions" on Web sites?

we are stuck between a rock and a hard place.

We can refuse to use such sites if we wish to avoid having to answer security questions and go elsewhere, but if we really need to use such a web site then we must abide by their processes. There is no way around it.

I 'do' use false questions/answers and have done for some time now. Yes it is a pain having to write them down, but I accept that.

As to the reason for the questions themselves, we only have to look at the breaches and vulnerabilities to see why even more security measures are required.

Mark

ALWAYS write your own questions if you can but NEVER give any real information. Use "code" or or answers that are so obscure or wrong that no one would or could guess them for example(s)...

What is your favorite month of the year?
ANSWER: "Chocolate"
What is your favorite Day of the week?
ANSWER: "Someday"
What is your favorite color?
ANSWER: "Blanket"

Remember, when you write your own questions, the "system" allows most any number or syntax as your "answer".

But, if you HAVE to use their set questions, you might be limited in what kind of answers you ca use, for example, if a question asks what year you graduated, you might not be able to put a arbitrary answer in there, for example, letters.
Here are some examples of how I might set up "security" questions/answers on a website..

What was the name of your favorite Teacher in grade school?
ANSWER: "Ms. Nobody"
What is your mother's maiden name?
ANSWER: Noneofyourbusiness
What street did you grow up on?
ANSWER: NoStreet (or anything BUT your real street)
What high school did you graduate from?
ANSWER: NoSchool High
What is your pet's name?
ANSWER: My Pet
What year did you graduate?
ANSWER: 1800

Also remember to have some consistency in whether you CAPITALIZE the first letter of your answers because this is a factor with some systems, so find a "system" or "code" that works for you.
Finally:,
The Key is to remember the answers, code, and/or methods you set up for your questions/answers and use answers that are so out there, that no one would/could guess them and never, ever give your real information when it's not truly necessary..

you can easily make profiles to fill generic questions like that, and make them completely fake. LastPass will encrypt the information for you, so even if you use the real name, at least a keylogger can't detect it, and what is in the hard drive is encrypted for your safety.

Yes, that's what I would like to state. I will refuse to answer security questions

do you spend a lot of time browsing sites that you dont want to be on for some reason or another. The counter argument to what you say is that maybe you spend too much time visiting sites that do not protect you. The one however that does annoy me is forum sites where I really dont see the security as so necessary. OK someone could post using your name but since it is easy enough to set up an account with anyones name anyway - it seems a litle pointless. Catchpa's are becoming necessary simply because the spammers take over anywhere that doesnt have them. However there are good and bad of these- I have seen some which ask you do a simple sum or quote the next letter in sequence and the like - this are great but some of the ones with jumbled distorted characters often take several attempt so get them right.

The "Answer" to a security question does NOT have to be "Correct." Nor does it even have to relate to the question. In fact you can even use the SAME ANSWER to all security questions. Something like "What is your mother's maiden name?" Answer = "Grapefruit." Or "What was your first pet's name?" Answer = "Grapefruit." Get the idea? All it has to do is match what you put down for the answer. You could even use a number in place of a word. So quit worrying about privacy and move on. LOL....unless you really DID have a mother who's family name was grapefruit and you named your first pet after her....!!

Giving incorrect answers to banks works also. Have been doing it for years. No one at the bank is going to look to see if your answer is correct - hell they don't even check signatures on checks anymore.

It s just one of the ways they use to try and protect your info and cover their butts.

I provide false answers but not alsways the same one. If they ask for my Mother's name I give them my Great-Grandmother's maiden name (not easily found). If they ask for my first car I reply with the first car I totalled (had a wild youth).

With some websites, if you forget a password, you can click on "Forgot Password?" and then put in your email address and they will actually email you the password. This is terrible because the email isn't encrypted (suppose you have a fellow employee checking your email while you are on vacation, or someone has hacked into the email somewhere). Also, that means the employees at the offices of the web site can read your password. In other words, the password is stored in plain text.

Most high-security organizations like banks, have to conform to Federal standards at a minimum. In my bank and many other sites I use, the password AND the security question answers are encrypted so the employees cannot see these. I doubt seriously that they can compare the answers even if they wanted to. Why do they ask you for your mother's maiden name? Is it really something important to your account? It usually is just for security. Before online banking, it would be used for when you called up about your account (customer service: need more checks? Need a higher limit on your credi card? Checking balance?).

Why don't they see what your answers are? Because, even with checking out employees, it is easy to pick up one with financial troubles .... As working in the area of security for a county government, we had to send a list of social security numbers to a mobile provider for more information. We had to do one-way (SHA1) encryption. That is, nobody can decrypt the encrypted form. So, how do they check out one-way encrypted data? They take all the information they have on file and encrypt that data. Then they compare the item you are looking at in its encrypted form with their files looking for a match. That way, nobody sees the actual data.

I think that this is probably what companies use for either your security answers or the password. When you tell them you forgot your password, they don't send it to you but they send you a LINK to a page that will ask questions to verify your identity and then they allow you to reset your password.

But, how do you know what the security method is at your bank? Two ways: Look it up on their website either in Terms of Service or a security link. Otherwise, you can simply call them on their customer service and ask. Your bank shouldn't lie to you.

AnthonyNYC may be correct about banks checking signitures on checks. I wrote a check once, when I changed the first letter of my first name from a cursive letter to a print letter--this was only on my first name, and only on the first letter! The check was returned to me to verify that it was not forged. I was stunned. I don't know how they do it, but they must have some sort of machine that verifies them.

As I said before, when you click on "Forgot Password?" some sites will just ask for your email address and, if it matches what is on file, they will email you something. When you forget your password, each site has different means to get you going again. Banks usually have the HIGHEST security as they are governed by the feds. In most cases, they will NEVER be able to send you your password because they can't read it at all. They can only send you a link that will get you onto the site so you can change your password. Usually, you will be using an SSL link (encrypted) to type in your password. If you forgot your password, then you will have to answer security questions. Some are of the type that everyone is commenting on, others may be date of birth, SSN (whole or part) and maybe something else that they have on file. After this, they will mail you a link (not necessarily a temporary password) that will allow you to get in and put in a new password.

Some extra security my bank has are alerts. You can get these by email, SMS or both. These will tell you when your password has been replaced and even if there was a change in your security answers. The idea being, if someone did manage to hack your login, you will find out and call the bank or the bank may even call you if something suspicious is going on. You can try to call them but you won't be able to get them to tell you the security questions nor answers. As you've said, these are all probably sent encrypted (SSL) and are probably kept encrypted (SHA-1?). There is no need for anyone at the bank to know your password nor the answers to security questions. They can ask you questions, including a security question (or two) and they they type in the answer you gave them. This is then encrypted and the encrpted answer is compared to the stored encrpted answer. If they match, you are who you say you are. What scares me are these other sites where you click on Forgot Password and they actually send you your password. In clear text no less! What you usually find is that these sites do not have any "regulations" like banks have and there usually is no real need for extra securtiy by the nature of the site.

An interesting thing users might want to check is if there is anything devastating that a hacker can do if they DO somehow get into your account. People should take a look. For example, someone could move money between my accounts. Big deal. There are a few things that I don't use that might be a big deal, such as "bill pay" or "transfer money to another bank customer". Thats where you just have to hope that the bank has other ways to protect those operations such as sending you an email with a link for confirmation or other means to catch suspicious activity.

There are many commercial sites (I'm sure including some banks) that have old systems that do not have sensitive data encrypted (i.e.: passwords much less responses to the associated security questions). Banking regulations are consistantly ignored and/or the software implementation has quite possibly been delayed or is flawed.

I have been in the IT industry for 40+ years and know of many (old & new) systems that are flawed in both data storage (i.e.: lack of encryption) and in website security (i.e.: poor sql injection defenses). And then there is always the #1 problem ... human error!

Never ever ASSUME something on the web (or in any database) is secure. Even extreamly "secure" sites like US military, Iranian nuclear software, etc, have all been hacked/compromised.

I don't know how the answers could be checked anyway,
I have been given a choice of 7 questions and none applied to me: My parents are long gone, so why should I remember their birthdays, and they never told me where they were born. I have no nethews r nieces. I never had a pet. I grew up in the UK, so I did nit go to high school. I was born in one of those English towns with a weird hyphenated name that can be written several ways, etc.
So I have to make up answers anyway. It's annoying.

I agree, and always use the same answer for any "security" question, but sometimes the website recognizes that you have used the same answer for all 3 questions, and I have not found a way to get around that.

Grapefruit, just Grapefruit.
That is the #1 answer on cnet for security questions. 20 thumbs up.
Grapefruit.

Hi,


You're right: Leaving personal information on the internet (family, work, school, place of birth, etc.) IS a huge security risk. AND, you are often asked to provide your full postal address, for example: eBay, PayPal, eBanks, eCommerce, etc.!

I find that the best protection is a STRONG password (not 'rover' or 'password'!), but a MIX of numbers, letters AND punctuation (which is often not accepted!). That's your first line of defence. Then, be careful where you leave your real postal address.

Hope that helps