If anybody was in doubt about the wisdom of relying on IT security questions to establish an online zone of privacy, this week's news about the Romney campaign should have clinched the issue. News outlets are reporting that the Republican presidential nominee has had his email account hacked. The hacker apparently got in through the ‘back door’ provided by the candidate's security questions.
You've probably seen these kinds of security questions before. They are popping up all over the place these days on everything from email accounts to online banking, with many social media networking services using them as well. The purpose of a security question is to allow a user who has forgotten his or her password access into the account. In theory, if you can answer the security question correctly, you must be the actual user registered to the account. Typically, the online service you are trying to access will let you in – and often let you change the account password while you are in there.
The problem with this system, of course, is that many security questions are asking for information that might be guessable, particularly by people who know you. After all, any number of close friends might know your last name before you were married; even more might be aware of your favorite sports team. IT consultants know that the latter type of question is particularly problematic because there are a limited number of sports teams in the world. A dedicated hacker could simply run down a list. This might result in account lockouts, but someone who really wanted to get into your account could wait them out and keep trying.
In Romney's case, reports are telling us that the hacker managed to answer the "What is your favorite pet" question. This could probably be answered by anyone savvy enough to do a Google search on the topic, unless Romney had adopted a clever ‘blind’ strategy for the question.
IT risk management experts advocate such an approach. To answer blind, you memorize a pre-set an answer that has nothing to do with the question. In effect, it becomes like a back-up password. For example, if the answer to "What is your favorite pet" was typed in as 'ParisLouvre' or another nonsensical answer, it would be highly unguessable and the account would be even more secure. This strategy, of course, means you have to memorize your security question answers, or keep them in a secure location that can't be compromised or hacked.
If you're concerned about navigating the online world in privacy and safety, and have questions about how to improve your IT security, then request a free consultation with one of our representatives.