Recently I was having a conversation with a friend of a friend and we were talking about some of the things you usually talk about with people when first meeting (background, education, job, etc.). As we were talking I had a random thought about how the stuff we were talking about correlates to various security questions you see on websites.
If you are the paranoid type, you could justify refusing to talk about the typical things people talk about like hobbies, cars, job, etc. for fear of giving away one of the answers to a security question.
A little about security questions, they are DUMB and useless and for the most part make things less secure.
1) Having a site that utilizes security questions only adds to the sensitive data they are collecting and must protect. In most cases, they are already doing a poor job at security so giving them additional information to protect only raises the risk of more sensitive data being compromised at some point.
2) And speaking of sensitive data, sites are actually transforming data that would otherwise not be sensitive into sensitive data by collecting it and using it for verification.
3) The answers are supposed to be things only you would know, however, it’s not at all hard for someone to google you and acquire that information about you, especially if you are free with the information you share on say Facebook for example. In reality, the questions are meant to be something you can easily remember which probably means lots of other people know about it too.
So back to what I was saying about someone who might be especially paranoid about what information they reveal about themselves. If you look at some of the security questions typically used, you shouldn’t really talk about what your favorite film is or your favorite author or what kind of car you drive or what your favorite hobby is… you get the point.
Basically if you are security conscious and treat the information collected by these security questions as something that should be protected with as much vigor as your password, there are lots of things you shouldn’t be talking to people about… which is completely ridiculous of course. Part of being a human is sharing information like this with other human beings you wish to interact with to find common interests, goals, etc.
As part of this whole thought process, I did a little research into sites I use that require you to complete security questions (financial and utility sites primarily). Of those 10 sites, four of the 10 required security questions which was less than I expected/remembered.
I also performed a little experiment by using a mobile app which is especially prone to scammers/bots trying to collect information about you and almost every time the questions being presented to me went right down the list of typical security questions used on websites; “what kind of hobbies to you like?”, “where did you go to school?”, “what kind of movies do you like?”… you get the picture.
Anyway, my point with all this is that people shouldn’t have to fear talking about details of their lives for fear of someone using it to gain control of one of their accounts on a website somewhere. Basically, security questions need to just go away… period.
*Yes, I know I’ve mentioned discussing life details with people both in person and online. Discussing these details with someone online is significantly more risky (again if the data wasn’t used for verification, it most likely would not matter) than discussing them with someone right in front of you. However, if you happen to be in some position of importance and are targeted by someone trying to social engineer you, it’s entirely plausible that you could get targeted by someone in person trying to collect this information. Again it would be better if sites simply used some other method for positive identification so that this type of life information would essentially be useless to anyone else, at least for account identification anyway.
This also carries over to data like birth dates and such. Why should I have to worry about telling someone when I was born because companies have decided to use that for verification purposes meaning that I now need to keep my birth date a secret from everyone else.