Security Question Silliness

October 18, 2017
tips security FFIEC

TL;DR - Use a password manager and lie your ass off.

When I think about online security questions for account recovery and authentication—you know the ones that ask about your favorite food or first girlfriend’s name—I can’t help but to hear this song in my head:

Security questions, huh, what are they good for? Absolutely nothing, huh!

If Edwin Starr was still around I’m not sure if he would’ve appreciated the lyric rewrite but damn, security questions for authentication are such a pain for the little benefit they provide. Here is my take on the issue and some steps for tech savvy folks to take control.

Let’s start with this online banking registration form that requires six of these security question bad boys to be registered:

Security Question Example.

Anybody that knows me is going to know the answer to that first question. Bacon. Oh yeah, I gotta have my bacon. Sure it could be pizza or something else but the point is that it’s guessable. I don’t have a favorite constellation but the others are probably pretty easy to guess too assuming that I went down the list. Using publicly known information defeats the whole purpose of authentication…you know, the secret stuff that you are (eg. iris), know (eg. password), and have (eg. RSA token).

So where does this security question silliness come from? Thank the Federal Financial Institutions Examination Council, better known as the FFIEC. The FFIEC issued guidance in 2005 entitled, Authentication in an Internet Banking Environment that recommended challenge questions as a backup method of authentication. If you’ve ever forgotten your password and had to call customer service you know what I’m talking about. The customer service agent has to verify your identity somehow which is—unfortunately—accomplished using information that could be publicly available like your last address, birthdate, or mother’s maiden name. If you are a U.S. citizen your social security number used to be a somewhat decent method (but definitely not ideal) to authenticate but thanks to the recent Equifax breach, not anymore.

The FFIEC isn’t completely crazy though. They eventually realized that social media is a threat to using simple security questions so they issued a supplement to their original guidance about six years later:

These questions can often be easily answered by an impostor who knows the customer or has used an Internet search engine to get information about the customer (e.g., mother’s maiden name, high school the customer graduated from, year of graduation from college, etc.). In view of the amount of information about people that is readily available on the Internet and the information that individuals themselves make available on social networking websites, institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique.

So what did the FFIEC recommend as a mitigation? Add more questions of course! Well, not quite—actually, the additional questions are supposed to be more complicated:

Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as “out of wallet” questions, that do not rely on information that is often publicly available. They are much more difficult for an impostor to answer correctly. Sophisticated challenge question systems usually require that the customer correctly answer more than one question and often include a “red herring” question that is designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical. The Agencies have also found that the number of challenge questions employed has a significant impact on the effectiveness of this control. Solutions that use multiple challenge questions, without exposing all the questions in one session, are more effective. Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program.

You can reference the quotes above at the FFIEC mothership here on page 7 if you are curious but I don’t think security / challenge questions are the best control for any type of authentication. Sure, having multiple questions will make guessing more difficult but you’d be surprised what a determined hacker that is versed in the dark ways of social engineering can do on the phone. Don’t believe me? Watch this professional social engineer in action. Even security researchers at Google in a 2015 blog post titled, New Research: Some Tough Questions for ‘Security Questions’ concluded:

…secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.

So why are security questions still a thing? For starters, the FFIEC document above comes from a 2011 Press Release and there haven’t been any updates since. Sure, having security questions does provide an additional layer of security but it’s more of a check box for compliance than for the actual security of your data. The FFIEC probably feels even today that multiple challenge questions is a reasonable mitigation for the majority of customers while not incurring additional burdens on financial institutions that have a laundry list of required security controls. If you account for development costs alone, of course it’s easier and cheaper compared to integrating a proper multifactor authentication scheme such as a RSA fob or Google Authenticator for smartphones. At the end of the day, most users—looking at you mom—that can’t remember all the answers to their security questions definitely aren’t going to know how or want to setup something like Google Authenticator anyway. So from a business and support perspective, I can see how some organizations would opt for the easiest route to appease the FFIEC gods at our inconvenience. However, for us—the tech savvy—we have another option: Lie.

Going back to my example above, yeah you might know that I love bacon but you aren’t going to know that I love b8c0n. Better yet, What is my favorite drink? you ask? Why of course it’s 7UeNyR. Hopefully you see where I am going with this. You don’t have to answer with the correct answer. Simply answer with the wrong answer but make sure you remember it by saving the answers in a password manager! Okay, maybe simple isn’t exactly simple but hey, we are tech savvy remember? Besides, if you aren’t using a password manager, you probably have more urgent issues to take care of so let’s take a quick detour…

If you have no idea what I’m talking about, head on over to Troy Hunt’s haveibeenpwned.com site and see for yourself. Still feeling confident in your password management system? How about one of your silly passwords like “monkey123” that you’re using for Facebook, Twitter, and everything else? Troy has you covered for that too—you can use the Passwords section of his site to see if a password you use or intend to use matches passwords in a known data breach. Are most users going to do this? No but we don’t have to be one of the sheep (i.e. normal users) waiting to be devoured by wolves (i.e. hackers, script kiddies). Since I’ve already given a plug for Troy Hunt, if you aren’t sold on password managers read his post on the topic: Password managers don’t have to be perfect, they just have to be better than not having one.

Anyway, once you get up and running with your chosen password manager, you can make random answers that are close to impossible to guess. All you have to do is save the answer with the security question. Here is an example using LastPass but you could even write it down on a piece of paper and store it in a fireproof safe:

Secure Security Question Example Using LastPass.

This method isn’t full proof however. Some sites, like United.com, don’t let you choose your own answers:

United Airlines Security Questions Example

And to make things worse, United makes you answer some of those questions if you are using a device that you haven’t used to sign-in before:

United Airlines Security Questions Required Authentication Example

In cases like this, you’ll have to choose incorrect answers and save them in your password manager unless you can actually remember them of course. If you opted to store in a fireproof safe, be prepared for massive inconvenience. Either way, both methods are annoying as hell but effective nonetheless.

At this point, you are probably thinking that I’ve just taken an already convoluted process and made it even more convoluted and you’d be correct. Creating false and random answers to security questions is more convoluted but if you are using a password manager, the password manager will do all the remembering for you. Also, you have to understand that once a bad person gets your bank’s support person on the phone, all bets are off. Hopefully, just hopefully, that support person will see the silly answers to those silly security questions and have a sudden realization that something might be awry. Hell, you could even consider using this for your security question answer: AlwaysConfirmMySecurityAnswersPlease If you’re going to be inconvenienced anyway, you might as well relish the fact that you just made it a little harder for some asshat to mess with your life.

If you liked this post please click and say hello!

New AWS Account Gotcha and a Security Consideration

August 3, 2017
AWS S3 tips security