Tag Archives: security questions

Don’t Compromise Your Security for the Sake of Nostalgia

Satirical image of old radio with "Do you remember your childhood Social Security Number?" superimposed.

Lately I’ve noticed a certain type of post circulating on social networks. I don’t know if they have a name, but they generally appeal to a sense of nostalgia. There will be an image of an old telephone with the question, “Do you remember your childhood telephone number?” Another one asks which movie you love that you’ve seen over and over. And people dutifully post their responses to these questions as comments on the post.

Now, here’s the issue: there is a thing called “Knowledge-Based Authentication” (KBA). It is a deeply flawed but still very common online security practice that asks the user to answer a series of multiple-choice questions that supposedly only he or she would know the answer to. Several of the major credit bureaus use it when you place a freeze on your credit through their websites. So you might get a question like:

Which of the following phone numbers have you been associated with?

a. 417-555-3456
b. 322-555-4632
c. 322-555-0989
d. 786-555-3674
e. None of the above

If you responded to a Facebook post about your phone number growing up, there is a small chance you have just put one of your KBA answers out on the public internet.

What about that “movie you’ve seen over and over” question? Have you ever logged into an online account and had to create answers to security questions? These are designed as a line of defense against unauthorized login attempts; if a login from a different computer or location is detected, it will trigger the security questions and prevent further access if they are answered incorrectly.

“What is your favorite movie?” is definitely the type of security question that could be used by a website, and if there’s a movie you’ve seen many times, chances are it’s your favorite. If you answered the post, you may have revealed the answer to one of your security questions to the world. Several celebrities have had their Twitter accounts hacked because they used real, easy-to-find-out answers for their security questions.

Of course, these tiny pieces of information are simply pieces, not the whole puzzle. But the more puzzle pieces are in place, the more you begin to see the whole picture. The less information you put out there, the better – you don’t owe the internet anything. Think before you post any personal information online, even if it seems innocuous or silly on the surface. Anything you reveal can be used against you.