Welcome to MSDN Blogs Sign in | Join | Help

the security of memes

While waiting for my plane to leave earlier today, I read a friend's personal blog. In it, she has posted a meme that I've seen go around personal blogs and Facebook lately. The first time that I met this meme, it was coming up with your porn star name: your first pet's name plus the street you grew up on. (In case you care: Smokey M-21, which doesn't seem like a name that would get me far in that particular business.)

This has expanded to include your Nascar name, witness protection name, detective name, and a few others. Reading over this meme, I realised that all of this information that she has posted has a lot in common with all of those security questions my bank wanted me to answer: favourite colour, father's middle name, etc.

How secure can those bank questions be if many people are posting this information to their blogs? So many of these questions are easy to find with a few minutes on a search engine (my Facebook profile will tell you what high school I graduated from, and then in two more minutes you can find my high school's website to learn what our mascot is. Where is the security?

Published Monday, November 10, 2008 2:59 PM by nadyne
Filed under:

Comments

# re: the security of memes

That's never been about *actual* security, just the *appearance* of security, and making it harder for bots.

There's no way that asking me for my father's middle name is some kind of great security trick, unless you really know nothing about security, and usually, this idiocy happens on the same web sites that bitch when you want to use special characters in your password. "Pick a secure password, but numbers and letters only".

Huh?

If they really wanted you to be "secure", you'd see more use of 2-factor authentication. I see no reason why my bank can't issue me an ATM card that isn't an RSA key generator too.

Monday, November 10, 2008 11:15 PM by John C. Welch

# re: the security of memes

That's exactly how Palin's Yahoo email account got hacked. A little googling (or MSN'ng) for basic information and some not so difficult guesses.

After all, the basic security question for years "What is your Mother's maiden name?" has a very good chance of being the account holder's last name. (Single parents dramatically drive up the probability.)

Similarly, the new gas pump credit card readers that request the zip code for the card are probably easy to defeat. If you find a credit card then you can try at least 3 local zip codes. I wouldn't be surprised if this strategy had a fairly good hit rate. Modulating this approach to favor local zip codes that have the surname from the card listed in the phone book may increase the rate for minimal effort.

The problem is that securing accounts/systems is by definition imposing barriers. The benefit that those barriers provide are invisible, not very tangible, and certainly "future" benefit rather as opposed to immediate inconvenience.

The only way that something resembling real security will be used in the consumer space is if it is mandated. Some countries have taken small steps in this direction to limit the ways that the equivalent of social security numbers may be utilized.

Any approach to security that relies on information based on personal experience will have holes. All that can be done is to find a sensible balance between security and consumability.

Ultimate personal information nightmare: A friend of a friend had the experience of finding that they had an unexpectedly low credit score. On investigation they found a bunch of loans and credit cards were held in their name with high balances that had defaulted on. None of these accounts were opened by the person whose name was on the credit report. It turned out that their delinquent Mother had opened the accounts and run up the charges with the attitude "that there is nothing that can be done to stop it" since the Mother had full knowledge of important things like SSN, DoB, etc, etc.

Sunday, November 16, 2008 12:20 AM by Michael
New Comments to this post are disabled
 
Page view tracker