So what did you do?
by gernotg - 7/21/12 1:30 PM
In Reply to: A case in point by orca99usa
Thank you for sharing this experience. It proves my point that the security questions are in fact a security risk, and nothing more. No matter how secure your password is, if someone can reset it or circumvent it by guessing answers to your security questions, it's worthless.
Many users here have shared their own methods of making security questions in fact secure, which involves lying about them, creating pass phrases and extracting letters, making up random gibberish and using encryption to store this information and keep it somewhat safe, and many more good ideas. But these people are computer savvy and know what they're doing.
Most users will probably do what I did: The first couple of times they answer honestly, then they get fed up and answer "none", "none of your business", "n/a", "leave me alone!!!", "mind your own business" and such, before eventually figuring out that both kinds of answers are completely insecure and coming up with better ideas. (No, I didn't actually use any of the above phrases anywhere, so don't bother trying them...)
Some users suggested that trustworthy sites would use one way encryption to store the security answers; let me tell you that that's not the case. I've been asked the security questions that I picked online several times when I called different financial institutions over the phone, so they are obviously stored in plain text somewhere even in supposedly trustworthy places. And since the questions are far from unique, this means that if one such site gets hacked, the hackers will obtain security questions for thousands of users that will provide them access to those users' accounts on other websites.
My point is that less savvy internet users, folks who maybe never signed up for more than a few sites that collect this information, are being mislead by these sites - under the guise of making their accounts more secure - into creating a security risk. The sites ask personal questions that can possibly be researched or have one-word answers that can easily be hacked with a dictionary-style attack, and the sites don't provide any advice on how to make these answers secure. Some users suggested that it wasn't worth the hacker's time to hack into individual accounts, but that's up to the hacker to decide. In your case, the hacker obviously had a grudge against you that made it worth his time to inconvenience you.
I think that the correct way of providing security would be something like this:
- All sites should encourage users to create secure passwords that are not shared with other sites.
- Sites that don't have access to any financial information, such as forums, can simply email you a password-reset link if you forget your password. Of course your old password should never be revealed, and on a trustworthy site would be stored in such a way that it can't be revealed.
- Online shopping sites should also let you reset your password the same way, but delete any credit card information if your password is reset.
- Your email provider should not allow you to reset your password by sending it to an alternate email address, this is just another security risk as it means that if one of your email accounts gets hacked, the other one will as well. Instead, they should provide a way for you to request password-reset information to be mailed to your postal address or possibly sent to your phone (although this may also be insecure if you lose your phone).
- Your financial institutions should only allow you to reset your password by sending you reset instructions to your postal address, or if you go to a branch office in person. In addition, they should use an iTAN/mTAN system to protect your online transactions.
In any case, "security questions" might be a legitimate way to provide an extra level of security, but not to reset your password! You should never be allowed to circumvent your password by answering these questions. That's like demanding that the users choose their userid or email address as their password.
So, what did you do? Did you make any claims against your email provider for opening up your account to this kind of attack? Is your email provider still using these questions?
Was this reply helpful? (0) (0)