I regularly hear complaints from people about the hassle of having to answer those pesky security questions every time they setup “yet another” account on the internet. These questions can be referred to as any of the following:
- Security Questions
- Challenge Questions
- Account Recovery Questions
- Password Reset Questions
Regardless of how they are described they serve a common purpose. They are meant to help an individual provide some form of evidence that is them in the event that the service needs to verify that it is them. This is done for many purposes of which the most common for online services is to reset a forgotten password.
To call them “security questions” is almost an oxymoron based on my experience. The questions that are asked are often far from secure, and may in actual fact create opportunity to hack accounts far easier than password cracking.
To be clear about this, let me make a statement that people may not understand. On many websites, a “hacker” does not have to have your password to compromise your account if they can figure out your security question answers. They will actually use the security questions to change your password and let themselves in. If there isn’t a second step to do this (like sending a code to a cell phone) then you could be in for quite a surprise even if you have taken my advise and made a strong password.
This also becomes a problem if you have been hacked even if you have taken the steps to have secondary checks on login. For example, if it is set up with an account (let’s say an online banking account) that login from a new and/or unknown network requires a “security question” it isn’t very secure if it asks you what city you were born in, your high school name, your mothers maiden name or your favorite sport. The answers to those questions are likely publicly pasted all over the internet on your social media accounts or social media accounts of your friends. It is quite possible that the “hacker” may already be into your social media account if they have hacked a password (remember, don’t reuse passwords).
Because of this, it is paramount that the answers you give to these ‘pesky’ security questions not be overlooked and I am going to give you the best piece of advice I possibly can on this. For all of those questions you are asked for LIE!
If you were born in Toronto, make the answer London. If your mothers maiden name is Jones, answer Smith, etc. Of course, YOU need to know the answers the questions and that won’t be hard if you are consistent with the answering. Just make sure you keep it a ‘secret’.
Security questions are an important part of the verification process when conducting transactions online and you really need to take them seriously. You usually have the choice of questions, so as long as you LIE on the answers there is nothing wrong with picking easy questions like those noted above. Just make sure you remember the answers.
Picking easy questions with real answers because they are easy to remember for you means they are also easy for a hacker to figure out.
Stay safe.
Jamie G
Safe Identity Canada 