Mat Honan should read Mimsy
In The last four digits of your social security number, I wrote:
There is a sense in which this entire discussion is irrelevant: because the last four numbers of your SSN are what businesses ask for, they are all that a criminal sometimes needs to use your cash or credit.
Or your private information. Since the last four digits of your SSN are used as a de facto password, they’re all hackers need to get access to your accounts. Increasingly, it’s the last four digits of your credit card that’s becoming your password, as Mat Honan discovered recently. Amazon didn’t treat the last four digits of the credit card as securely as they should have. Hey, why should they, it’s only the last four digits, right? It didn’t help that Amazon, like Apple, makes it far too easy for strangers to add things like credit cards and emails to your account. A hacker got his last four credit card digits, and then went to Apple to reset Honan’s iCloud password.
Insecurity questions need to be able to be turned off. The likelihood that they’ll be used for hacking attempts needs to be taken much more seriously. Otherwise, passwords are easily bypassed. And when the insecurity questions themselves can be bypassed for the even less secure billing address and last four of credit card or SSN, that’s insane. At that point there really is no purpose to passwords.
In response to The last four digits of your social security number: The last four digits of your social security number are the least guessable part of your SSN.
- How Apple and Amazon Security Flaws Led to My Epic Hacking: Mat Honan
- “In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.” (Techmeme thread) (Hat tip to Arnold Kim at MacRumors)
More insecurity questions
- Security is hard, and 2FA is not the answer
- Is 2-factor authentication the magic bullet in security? Not unless we solve the real problem, which is that people always take the easy way out—and that includes service providers.
- Security questions will always be insecure
- Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
- Are insecurity questions designed to help hackers?
- Insecurity questions are being modified to make them easier to hack and harder to remember. It’s as if they’re designed to help hackers and frustrate forgetful account owners.
- Insecurity Questions enable harassment and abuse
- Insecurity questions are designed specifically to let someone who does not have your password access your account without having to talk to a human. The idea is that that person will be you after you forget your password, but the computer does not care. Anyone or anything with that information can access your account.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
- Two more pages with the topic insecurity questions, and other related pages
More social security numbers
- Jim Rockford comes to identity theft
- It’s easy enough to guess an SSN, if you know the SSN of someone born at the same location and the same time.
- Insecurity questions on phones and at banks
- How important are the last four digits of your social security number? That and a high school yearbook can get a hacker your bank account.
- Tumbling to SSN privacy
- Guessing social security numbers based on the statistical analysis I talked about in “The last four digits of your social security number” now has a name: “tumbling”.
- The last four digits of your social security number
- The last four digits of your social security number are the least guessable part of your SSN.