Remember meForgot password?
    Log in with Twitter

article imageFake security question answers are weakening online security

By James Walker     May 27, 2015 in Internet
Security researchers from Google have found that people frequently lie to personal security questions on new accounts online in the misguided belief that a fake answer will add increased security. The researchers found that the contrary is actually true.
CBC News reports how Google researchers, led by Joseph Bonneau, examined public usage of "secret" security questions. These are used by nearly all websites online as a safeguard for the "reset my password" option. You cannot reset your password until you've supplied some information that, supposedly, only you would know.
Unfortunately, the security questions offered normally have answers which anybody close to you would already know. "Pet's name" and "favourite movie" are probably common knowledge while the better ones like "mother's maiden name" can still be obtained online. It seems as though many people have now realised this though, leading to a new issue: people faking answers.
The Google study was created with the aim of showing "in black and white exactly how insecure and unreliable" security questions answered. The team hoped to identify the best possible security questions as well as the worst by analysing their usage on Google's own platform.
They found that many people use fake data where possible but that this is actually more exploitable than the real data. The researchers found that many accounts were protected by security data including "Don't have one" and "I don't know", providing a simple vector for any attacker to try and gain access to an account with.
Worryingly, Bonneau concludes "If there is some question out there that will manage to do both things at once [be secure and memorable], Google wasn't able to find it." It does appear as though security questions aren't suitable for use in the modern Internet and that alternatives must be found.
Bonneau advises that users should try not to use obviously fake answers such as "I don't know". Where possible and with supporting services, two-factor authentication should be enabled instead of security questions. This uses your phone to generate a unique security code for you and is available on a growing roster of platforms, including Google.
More about Internet, Security, Question, Fake, Answer