Mimsy Were the Borogoves

Editorials: Where I rant to the wall about politics. And sometimes the wall rants back.

Are insecurity questions designed to help hackers?

Jerry Stratton, July 27, 2016

United Music Styles

But I don’t see plutonium rock listed.

If you read this blog regularly, you know that the main purpose of insecurity questions is to help hackers get into your account. This is a testable theory. For example, one of the drawbacks, as far as hackers are concerned, is that the number of answers is unlimited. While it’s likely to be pretty easy to guess what your favorite dog breed is just by watching your Facebook feed, it’s possible that you use an odd spelling, or don’t know what your dog’s breed actually is.

The latest twist on insecurity questions solves that problem for hackers, while making it harder for the account owner whose answers differ from the norm to remember the answers. Instead of a free-form input, you’re provided with a small number of valid answers. I discovered this the last time I went to log in to my United Airlines MileagePlus account. They required that I change my answers, and instead of being allowed to type my own answers, I was forced to choose an answer from a small list.

Now, if your theory is that insecurity questions are there to help the owners of accounts, it’s unlikely that you would have predicted this development. It’s insane, because it does little to help you, the account owner who has forgotten their password but does know your dog’s breed, and everything to help hackers. It’s even worse if your favorite genre or favorite dog is not listed as an option. You’re very unlikely to remember which option you chose in its place—or you’re going to assist hackers by always choosing an item at the top of the list.

I noticed immediately that some of the lists were ridiculously small. The list of musical genres includes only twenty-one items. Jim Fenton went through a bunch of the questions and discovered that some of the questions involve months, which means that the number of answers is a mere twelve. It’s not going to take much of a security breach for a hacker’s computer program to cycle through the choices and come up with the right combination.

If that security breach is like this one described on Stack Exchange that interchanges answers, it’s going to make the month answers ridiculously easy to hack, for example.

Besides only having a limited number of options to cycle through when going through the process of hacking your account online, pre-determined answers are also normalized: if the question is what month were you born, the hacker no longer has to worry about whether you spell February correctly or not. If the question is a date, the hacker won’t have to worry about what format you use when typing dates. It’s a system designed for programmatic hacking.

This is only going to get worse. Insecurity questions are a very bad answer to a relatively rare occurrence for the individual account owner, but a relatively common occurrence for the organization: someone forgetting their password. For most individuals, the chances of your forgetting a necessary password is much less than the chance of one of your many passwords being involved in a hacking attempt or security breach of some kind. Even without that, however, insecurity questions always make your account information less secure. They provide a means other than knowing your password by which hackers can get into your account.

But insecurity questions aren’t for you. They’re for the organization hosting the account. It’s expensive to handle forgotten passwords on a one-to-one basis, so organizations naturally want to automate the process of resetting forgotten passwords. This will by its nature make these processes more useful to hackers the more the company tries to make the automated process not require human intervention.

I was only being partially facetious in the title of this post. The needs of organizations that use insecurity questions and the needs of hackers line up very closely, which means that insecurity questions are likely to continue getting easier for hackers to use.

The purpose of insecurity questions is to bypass not knowing the password. The secure answer to security questions is to not use them. Technically, insecurity questions should be treated exactly like passwords, because for all practical purposes they are passwords: they can be used to get into your account. But if we hashed the answers to security questions, required users to choose strong answers, and didn’t allow them to use easily-guessable answers, then there would be no point to them.

The tendency is going to always be to make insecurity questions less secure, because that is their purpose. They’re for bypassing security.

In response to The last four digits of your social security number: The last four digits of your social security number are the least guessable part of your SSN.

  1. <- How to guess an SSN