> A hacker could try to reset my password for an online account by answering security questions like “What is your mother’s maiden name?” or “Which of the previous addresses did you live at?”
That's why you don't answer those questions honestly. My mother's maiden name is always a random 32 character string living in my KeePass database...
I'm not sure that's any safer. It should protect you from the automated prompt-response systems, where an absolute match is required. But call-center workers see those answers in plaintext. Eventually an attacker will probably reach one where answering, "It's a lot of random letters and numbers. I forgot what they were but the real name is Smith!" will be enough to pass.
So what's your solution? You have to put in something, and putting in the real maiden name seems like the worse option to me. Social engineering is going to be the weakest point no matter what you do, so I don't see how anything you do could defend against it and why you should account for it if there isn't anything you can do.
Putting an actual name in there is probably a lot safer than anything that might be described by a human as "just some gibberish". Pick an uncommon name, maybe from another country, maybe spell it in a different way, as long as it's still recognizable as a plausible name. Most operators wouldn't fall for it if the attacker says "just some random characters". The important part is to not reuse the name between registrations.
Combine this with similar unique answers to other questions and the chances of someone guessing them all become really small.
One thing I never tried is to just put something like Anyone_trying_to_reset_this_password_is_a_hacker_DQWIqw12E^1&UTFD@&$. Might be an inconvenience if you actually need to reset yourself.
If you use any kind of name you run the risk of it being guessed. Use a passphrase generator to get something completely random and easy to say over the phone.
I always use valid but fictitious names. For example my mother's maiden name could be Roberts or my first car could be Chevy. Of course I use different and more obscure answers on different websites and save them all in a password manager.
> So what's your solution? You have to put in something, and putting in the real maiden name seems like the worse option to me.
Instead of a gibberish generator (ala password managers' defaultly-generated passwords), use a _word generator_. Something like "correct horse battery staple" except, you know, not the popular words.
Then, of course, make sure to include those secrets in your password manager.
A few years back I cashed in the residue of a UK ISA (remaining balance just £1.50 but local tax laws forced it to be closed). No longer being in Blighty it transpired this would be a serious posterial pain involving sending of certified passport copies to validate signatures, etc, but their helpful man on the phone explained I could skip all that simply by registering for their internet banking access, then login and transfer the investment funds to wherever I liked. So off I toddled and being in a hurry and not overly concerned about the risk that some miscreant steal my half-a-cup-of-coffee's worth I pasted "sasquatch" into all the security question prompts. Clickety-click, done, now to close the account... "Please phone our banking service team for this request"
"Hello Mr Thombat, I can see your account number but first I just have to ask you some security questions...what was your grandfather's occupation?"
"Sasquatch"
"That's fine ... now what was the name of your first school?"
"(nervous giggle) Sasquatch"
"Ahhh...and was your first pet's name?"
"Sasquatch, too. I mean too as in also, not two as in the number...I really didn't expect I'd be telling these to a person, it was just a nice word to say..."
He kindly overlooked my embarrassed tittering, didn't go all jobsworth about this horrific breach of security best practice, nor yet accuse me of lying to one of Her Majesty's civil servants for pecuniary advantage. And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit.
This statement confuses me, what are you proposing the call center employee empathize with me over? The reason I'm even calling, or the authentication and account verification answers and random bits of string that I enter into my account when signing up?
"You" in this case are a hacker / social engineer trying to break into someone's account. If your target puts gibberish as the answer to that question, here's how the conversation will go:
Operator: What is your mother's maiden name?
Hacker: Smith (let's say this is the real name, gleaned from public records)
Operator: That's not what I have here
Hacker: Oh, you know what, I think I just put gibberish when I signed up. I thought that would add some extra security, but I forgot what I wrote, ha ha, joke's on me. The real name is Smith though.
Operator: Story checks out, I'm giving you access to the account now.
Security questions aren't really that secure anyway. A "real" hacker could just pretend to be helping out a friend after a debilitating accident and ask for everything to be reset.
Exactly, or the "crying baby/stressed out parent" example that made the rounds a few years ago. Hackers don't need to monitor every public comment you make, just trick 1 minimum wage call center worker for 5 minutes.
Until someone calls you out and says your're an imposter because your mother's maiden name is really XXXXXX. Then the imposter files a report against you. The research is done. They know enough about you to take your place and have you thrown out of your own home.
There is not really a good answer to social engineering, as far as I can tell. For example -- I do my banking with a big, reputable bank most everyone has heard of (and not one of the banks people like to hate) and I've got passwords, two factor authentication, etc. That's all great. And yet, about a year ago my wife's debit card got cloned at a compromised ATM and armed with that information (bank, and name) someone called up the customer service at my bank and asked them to reset the password to our account. According to a security investigation by the bank, it took them six attempts before they found someone who believed their sob story about being stuck in a hospital somewhere with no access to money, etc. Gave them our account login and reset our password for them. The person logged into the web site, transferred a bunch of money from savings into the compromised debit account and started pulling it out as fast as they could. I got instant notifications as they did it but was driving and didn't see them for about 20 minutes, by then the bank had deduced that something was wrong and shut it down, $5K later. Luckily the bank didn't really argue the point, they knew they were totally at fault for letting it happen, but still -- all the security in the world that I tried to use for that account and all it took was one bank employee to negate 100% of it.
Of course, the alternative is that you are actually in a hospital with no access to money, etc. and the bank will unwaveringly stick to a policy that you must show up at a bank office with valid ID or you'll have to wait for a letter to your physical address of record, etc.
Perhaps that's just the way it should go down in a case like this. But there are costs to making the decision to close off the potential for social engineering as thoroughly as possible.
Agree there should be a way, perhaps, to recover from a bad situation.
As a follow-up to my experience, I guess I should expand on the consequences for us. The bank admitted fault, but to protect themselves from a bad employee doing it again in the future, now when we call we have a special voice-only password and PIN, and we have to answer a battery of questions that are clearly pulled from a credit bureau (you know, the types of questions like "You had a mortgage in 2005, what was the street the property was on" and such things. Takes 10 minutes to get to "Thank you sir, how can I help you today" if we ever have to call customer service.
Based on that experience, I think perhaps the bank should make that the answer to recover a deeply lost account. They gave a stranger the credentials to our account -- not just the password, but they had to tell them the login, and disable two-factor authentication (because the login is built from a PIN and RSA code) based on a plea for help. I can see forgetting your password, but who forgets everything? That should be a huge red flag.
I could rant for a long time. I had a pointed discussion with a manager at the bank about how getting five repeated, fruitless requests to change credentials on an account didn't somehow trigger any protective response. How hard would it be to implement a counter that says "okay, after the second attempt to gain access by voice to an account that is denied for lack of authentication, all future calls for this account go directly to the security department for personal attention"? I got no good answer other than a lot of "yes sir, this was completely wrong, sir, I'm sorry, sir" etc.
I don't really disagree with any of that. I was just making the point that there are tradeoffs and the nature of those tradeoffs are going to depend on the situation.
Obviously, access to a banking account should have a pretty high bar even if that means some people may well end up in difficult situations where they've lost access to their money and the bank can't/won't do anything about it based on a phone conversation.
That's kinda the opposite side of this issue. No need to worry about it because the generator knows all the names, that listicle is about user-generated input.
That sounds like the right solution to me - it's the "correct horse battery staple" of this problem. I'm going to start using this. 4 names all put together - pronounceable over the phone, visibly viable, and uniquely generated for each instance.
muffled voice with strong accent, from call center, over long distance VOIP line which should be perfect clarity but mysteriously isn't, loud background noises, crackles
"Sorry I did not hear, but there seems to be a problem with our computer system I am getting an error message instead of a name, please can you call back later".
Screen shows them: "Do not provide access und" 25 character silent truncation.
That's my thought. Now we need to get a KeePass extension that does that. It'd be even better if it generated where you went to high school and your first pet's name as well. Though that too could be Mrs. Sebastian Winifred Campershamp.
First, for this vector, they would have to know before hand that it's random numbers. I don't tell anyone I do this.
I also use a random combination of words instead of just characters;
Yellow Mountain Bad Hernia 13
Call center employees will generally think it's my own connotations (if it's school they will think there is a yellow mountain nearby and maybe I had a hernia... words tend to have associations)
I do this, and I actually had to use it for the first time yesterday when calling a credit card company. The rep said "I'll need your security question answer... is this right? It looks like it's just a bunch of numbers and letters?"
Then I confirmed and started reading it out to her, and she hung up on me. I think I should move to correct-horse-battery-staple style in the future.
A small bank that I use sold itself to a slightly larger bank a few years ago; one of the things that I appreciated about the old bank was that they made this a "short arbitrary secret" field instead of "mother's maiden name" I had given them two randomly-chosen words, stored in my password manager.
Earlier this year, I opened a new account with the (new) bank and discovered that they already had my mother's maiden name, were going to use it for identity verification, and wouldn't allow me to change it to something arbitrary (even another fake name that I sometimes use). Quite frustrating, this security based on insecure information.
I know this is often asked over the phone, so that'll be a little awkward, especially if using non alphanumeric characters. Interestingly though, I wonder how easy is it to reset your mother's maiden name to a new name if it go out in the wild.
I use a somewhat different system. Each common interview question is mapped to what is effectively an inside joke about my life. Usually something related to the interview question, but the actual keyword is tangentially related in a manner that would be incredibly difficult for an attacker to guess.
This effectively allows using the security question as something that can be more reliably recalled by the user, but largely avoids the security issues of an easy to guess secret.
The reason I don’t store answers to security questions in my database is that it makes it a single point of failure. I want to have some recourse in case my password database is lost or broken into.
I did exact same thing for my Apple account. Later I found that even if I have access to my email and to my password, they still keep asking for these secret questions I dont remember the answers.
All of the information the "hacker" found using the reporter's cell number could have been found using just the reporter's name and rough location.
It seems strange to me that peoples names, addresses, and phone numbers used to be freely distributed in a large book to every house in town yet now any one of those details can be used to assume someone's "identity." It seems the only thing stopping this from happening en-masse is that nobody has tried.
Times change. When I was an undergrad in the 1980s (in the US) my professors would post the results of exams on their office doors labeled by social security number (for "privacy"). Nobody at the time saw a problem with it, although we would today.
In Sweden, the password is BankId, a two-factor authentication app that everybody has on their phones. It’s used by all government agencies, banks and insurance companies etc to establish identity. You literally use your ssn as username to login, plus a pin, to generate a one-time passcode (which happens behind the scenes so you don’t have type it in).
Not a swede, but we have a similar system in Norway. If you don't have a phone you can get this little device with a 7-segment display and a button that generates one-time authentication codes.
I know when you make an account with Nordea, they give you a page with several hundred codes printed on it. Each time you authenticate, you have to use the next code in the list. If you use any other code on the page, it's considered invalid. They instruct you not to mark the page so if someone takes your code page they do not know which one is the current code.
Because you guys have more forms of ID aside from SSNs, many od them with security features. For Americans, it's the only number that everybody has, so it's become the password to your entire financial life.
You can go to a bank, say "hi im John, my social is 123456789, I'd like to take a ten thousand dollar loan" and they'll give it to you if their records show that the name belongs to that number.
> You can go to a bank, say "hi im John, my social is 123456789, I'd like to take a ten thousand dollar loan" and they'll give it to you if their records show that the name belongs to that number.
If that's so, why isn't this happening in massive numbers, given for example the 143 million SSNs that leaked through equifax?
There's usually more verification than just that. There's an automated system that asks about old addresses, employers, loan amounts/dates, etc. It's probably fairly easy to get that information but enough of a bump in the road to prevent massive fraud.
My spouse's human resources dept was spearphished and sent all employees' tax forms. 1 in 3 employees called the IRS to get a PIN issued - the rest (hundreds) discovered someone had submitted fake tax returns on their behalf the next year. Many had credit cards issued to someone else before the credit lockdowns were in place. Any spouses or children whose SSNs were on the employees tax forms also had problems.
I am from Europe and i can't do anything except a random consultation about products without providing an actual ID (passport or ID card) in bank. The same goes for SIM swap - i have to go to mobile operator client center and provide ID before getting a new SIM. Obviously this is not 100% safe as the bank/mobile operator employee still could be social engineered somehow but it sounds miles better than what you have in US.
I’m in the US and every time I’ve applied for a loan, credit card, or SIM in person I’ve had to provide a drivers license. When I applied online I do not have to give an ID but most of the time they ask for the ID number.
When I had my identity stolen the crooks still had some Fake ID with my name and info. They found small cellphone kiosks (a makeshift promotional tent) inside large stores with lax security to make their purchases.
Here drivers licence isn't recognized as a valid ID (can't even buy alcohol or get packages at the post office with it) because of what i assume is lax built in security mechanisms and everyone must have a valid passport. I do think that any system can be abused (social engineering, employee doing his job poorly etc.). At the end of day it should be possible to prove that it was a scam but just the fact you have to deal with it for quite some time is pita.
Times do change. In 1996 a dumpster dive of the local computer store would reveal hundreds of names, addresses and full credit card numbers with expiry dates.
A super high end hotel in Singapore would leave client bookings at the check in counter with address, name, credit card also.
In the mid/late-90s, my university email address used the last 4 digits of my SSN, and they also had other systems that used the last 4 digits to verify your identity.
Perhaps a difference is that in a phone book, it requires work and is not scalable. On the other hand, if you buy a dataset of personal information, you can gleam tons of information for malicious intents (and scale it).
Does anyone offer a monitoring service for consumers? I would pay a nominal fee to be able to dip in to the big databases like this to find out what they think they know about me. If it's so cheap on a per-lookup basis, maybe someone could offer a consolidated view. Pay us X dollars and we will go dip into the top 50 databases right now and see what they say.
Of course, they probably contractually cannot do this and would get cut off immediately if they did.
Edit: Didn't know, nextcaller is a YC company. LOL
On the surface, this sounds like a great idea (I certainly would pay for such a service)...But wouldn't that create an incentive for the data brokers to double-dip, and sell YOUR data to existing ad/marketing/scammer customers, PLUS sell YOU your OWN data?
(I should caveat, I'm having a "pessimist day" today, so even sunshine and rainbows aren't as pretty today as they normally are.)
With the shear quantity of data analysis that goes on behind the scenes and affects citizens, I think we need a much better handle on transparency. We already have some level [inadequate IMO] of control over the established credit bureaus, I think that should be expanded to all data brokers that sell personal data like this. If I can't keep it from being sold, then I should at least be able to see what it is and make sure it's accurate.
Maybe it's time to look into how to pollute the data set instead.
They make such a big deal of getting this from a cell number, but none of what they listed is very difficult from simply a name and general idea of who a person is.
I recently found a lost wallet. The only things in it were cash and some credit cards (and a Kohl's loyalty card). The person had a semi unique name, only 4 in my state, and it was easy to find all of the data listed in this article about them. Whitepages-style sites usually have age, relatives, sometimes phone numbers and addresses, and you can put together the pieces from different sites:
I found the wallet at a Dude Perfect Tour show with my kids, so out of the matches I found, I assumed it was less likely to be the 67 year old. Another came up repeatedly for crimes: Domestic Assault & Battery, and drug crimes. I doubted this was the owner, and wasn't sure I wanted contact with anyone like that. Anyway, that left two people. The first one I called had lost the wallet, and I mailed it to him.
I have been living in the park & taking calls at the lottery hotline for 25+ years, according to all but my guv, insurance provider & LEOs. Some others may get a PO Box, but if X doesn't fall under the umbrella of the former mentioned, they get all the mis-info I can feed them. Sadly, today the institutions I must rely on sell all that info to the highest bidders, anyway.
In the list of info gleaned from your phone # the writer forgot your online purchase history, vehicle VIN & plate number and pretty much EVERY MOVE YOU MAKE day-to-day thanks to O/L retailers, your cell provider, your TV/provider, your DMV, your insurance provider, your city/county/state/Fed & everyone else under the sun selling your info. Many ask for your phone # "for security reasons" and then immediately sell it. TFA states it is better than your "full name"... that's nothing, as I have >7 same-names in my metro alone. It is, indeed, better than your social security #(in the States, anyway).
No mention of the ability to obtain an exact real-time location, which is made possible by phone companies providing your real-time data to advertisers and other third parties.
Whenever possible I use the burner app if I need to provide a number to sign up for a service that I'm not particularly worried about losing access to, that sends a confirmation code on login. Especially when its something I only need to use once, like anonymously downloading a file from a website that requires a Google or Facebook login, for example.
That's why you don't answer those questions honestly. My mother's maiden name is always a random 32 character string living in my KeePass database...