Answering Those “Pesky” Security Questions

Answering those pesky security questions

“What is your mother’s maiden name?”, “What was your first pet’s name?”, “What street did you grow up on?”; these are just some of the security questions we’re constantly bombarded with on a day-to-day basis when setting up accounts. They’re meant to offer two factor authentication (2FA), or verify your identity if you get locked out of your account. While a good idea in theory, it can become a nightmare if not done correctly.

Recently I had to use my social engineering skills to help my husband get access to an online account he was locked out of. He’d originally answered the security questions with gibberish because he was in a hurry, and now didn’t know the answers to help verify his identity. A call to customer service wasn’t going well, because they didn’t believe it was him. I had him put me on the call, and I was able to convince the agent to give us access to the account again. This got me thinking about the dilemma that others find themselves in when tasked with filling out these answers while setting up accounts.

Situation 1: Being Inconsistent

If you’re first pet’s name was Mr. Fluffy, pick one way to type that in and stick to it. Otherwise you may find yourself trying variations like “Mr. fluffy”, “mr fluffy”, or “MR.FLUFFY”. Many of these sites require your answer to be case-sensitive, and too many bad tries will usually lock you out of your account.

Situation 2: Being Lazy/Frustrated

This is the scenario where a user puts a bunch of gibberish in and answers the security questions like “qr4mrooirgnkn” or “3bropi0u23jnaf”. Filling in some random characters during setup may make the process quicker, but impossible to remember these when they’re asked of you.

Situation 3: Being Too Truthful

Before you truthfully answer questions such as “What’s your mother’s maiden name?” or “Where did you take a honeymoon?”, think long and hard about the available OSINT on yourself. How hard is it for a social engineer to find this information, and use it to gain account access? Many times it’s very easy to find these answers out on the web. You’re much better off to make up fake answers; then stick to using that every time you answer a certain question.

Unlike your passwords that can be managed with software like Dashlane or LastPass, these are a bit trickier. LastPass recommends that you “use the password generator to create bogus answers to security questions. Save the answers as a “Note” in the site entry in your vault, so your mother’s maiden name looks like: “sPEcTOpeRoseNctuLAte.” This is a great suggestion, unless you’re using a device that’s not yours (work, travel, etc.).

I also found several sites that recommended using a formula to create an easily remembered answer to any question. The formula goes:

[Snarky Phrase] + [Core Noun Phrase] + [Unique Word]

Let’s look at some examples:

Snarky Phrase = Stupid Question
Unique Word = Booyah

If the security question is: “What is your favorite sports team?”
My answer would be: Stupid Question Sports Team Booyah

If the security question is: “What street did you grow up on?”
My answer would be: Stupid Question Street Booyah

As you can see, this does give a viable formula that you’d be able to remember in most situations.

In the end there is no one solution that will work for everyone or every situation. The key is to find something that works for you, giving you secure and easy to remember answers when you need them. Don’t forget to discuss this with friends and family too, and help them become more secure online. Not everyone is lucky enough to live with a social engineer that can get them back in to a locked out account.

Security Question Challenge

How many of these answers can you find about yourself through OSINT?

  • What is the first and last name of your first boyfriend or girlfriend?

  • What was your favorite place to visit as a child?

  • Who is your favorite actor, musician, or artist?

  • What is the name of your favorite pet?

  • In what city were you born?

  • What high school did you attend?

  • What is the name of your first school?

  • What is your favorite movie?

  • What is your mother’s maiden name?

  • What street did you grow up on?

  • What was the make of your first car?

  • When is your anniversary?

  • What is your favorite color?

  • What is your father’s middle name?

  • What is the name of your first grade teacher?

  • What was your high school mascot?

Written By: Laurie Varner

References:
https://blog.lastpass.com/2016/09/time-to-change-every-password.html/
https://www.quora.com/What-are-the-most-common-security-questions-to-retrieve-a-users-password
http://lifehacker.com/323938/choose-memorable-answers-to-security-questions