BestsellerMagazine.com - CATEGORY Report today: TITLE
If you aren’t famous enough to be a target, you may still be a victim of a mass data breach. Whereas passwords are usually stored in hashed or encrypted form, answers to security questions are often stored — and therefore stolen — in plain text, as users entered them. This was the case in the 2015 breach of the extramarital encounters site Ashley Madison, which affected 32 million users, and in some of the Yahoo breaches, disclosed over the past year and a half, which affected all of its three billion accounts.
The Equifax breach this year may have revealed some users’ security questions and answers outright, and it certainly gave thieves enough personal information to answer common questions. TransUnion evidently did not heed this warning: Users wishing to freeze their credit files in the wake of the Equifax breach have to create an account, and to do so they must choose a security question, such as “What city were you born in?”
According to Troy Hunt, a cybersecurity expert, organizations continue to use security questions because they are easy to set up technically, and easy for users. “If you ask someone their favorite color, that’s not a drama,” Mr. Hunt said. “They’ll be able to give you a straight answer. If you say, ‘Hey, please download this authenticator app and point the camera at a QR code on the screen,’ you’re starting to lose people.” Some organizations have made a risk-based decision to retain this relatively weak security measure, often letting users opt for it over two-factor authentication, in the interest of getting people signed up.
Newsletter Sign UpContinue reading the main story
Sign Up for the Opinion Today Newsletter
Every weekday, get thought-provoking commentary from Op-Ed columnists, the Times editorial board and contributing writers from around the world.
Thank you for subscribing.
An error has occurred. Please try again later.
You are already subscribed to this email.
Security questions ask for something you know about yourself, and to be even moderately secure, they should ask for something only you know. It’s exceedingly difficult to design questions that do this. Many security questions ask for biographical information that is publicly available, whether in open records or via social media: where you were married, your first phone number, your paternal grandfather’s middle name.
Aside from these questions’ vulnerability to a little research (to say nothing of nosy parents or malicious exes), none of them are relevant to all adults. How many of us can answer the premillennial “What city were you in to celebrate the year 2000?” or “What year did you take out your first mortgage?” And how many Indian- or Brazilian-born users went to a high school without a mascot, or grew up on a street with no name? How many of our mothers never changed their names?
The other main type of security question asks for a subjective answer. Such questions imagine lives punctuated by distinct firsts and bests and filled with enduring favorites, but favorites and bests and even firsts can change when people maintain accounts for decades. At some point, both factual and subjective security questions become archaeological. “In what month did you meet your significant other?” requires a framing question: Whom were you with when you set up this account?
A 2015 study by Google engineers found that only 47 percent of people could remember what they put down as their favorite food a year earlier — and that hackers were able to guess the food nearly 20 percent of the time, with Americans’ most common answer being pizza. (Google has been phasing out security questions in recent years.) Even when people remember their answers, they sometimes forget their precise form. This hazard has prompted some websites to offer a fixed set of answers. To “What is your favorite type of reading?” United Airlines offers a pull-down menu with 19 options, including blogs, cookbooks, professional development and self-help, but nothing like literary fiction (the death of the novel?).
AdvertisementContinue reading the main story
As long as security questions are going to be used, professional consensus holds, they should have many possible answers, and each of those possible answers should be simple, stable, memorable and not easily researched or guessed. But questions that are sufficiently general to apply to most people almost never fulfill these requirements: “What is your favorite season?” “What is your favorite fabric?” “Who is your favorite person in history?”
Even exceptions that look good at first fall short. “What is the last name of the teacher who gave you your first failing grade?” includes an assumption about academic records; strangely, it appears on the LSAT registration website, whose users’ transcripts are likely to be too unblemished to furnish an answer. “What was the name of the boy/girl you had your second kiss with?” is impossible in its Proustian hyperspecificity. Then there’s the State Bank of India’s vertiginous “What is the website that you rarely visit?” which reads like a Zen koan whose purpose is to make you reflect on the unknowability of the answer.
What would a truly powerful security question be? The ideal is a science-fiction scenario where your future self calls your past self, and your past self asks your future self to prove it’s you. When given the chance to write their own questions, though, most people choose not an intimate secret but something more like “1+1=?”
The temporary solution, Mr. Hunt says, is to create false answers and to keep them somewhere safe, whether in a password manager (which can generate and store a random string for each answer field) or even on a piece of paper. Security questions pit “usability against security,” said Mr. Schneier, the cryptology and security expert, and the former usually wins.
Security questions are premised on a paradox: Our experiences are at once universal and particular to us. Yet it seems we are all lazy in exactly the same way.