This is the third of what is intended to be a three part series. To catch up, read “Social Media for Social Evil – Part I: Impersonation” and “Social Media for Social Evil – Part II: Network Analysis“. Since some of the darker parts of the web have been doing these things for *years*, I’m going to cover them in great detail here. Hopefully people can take steps to better protect themselves. Anything detailed here that might be illegal is neither condoned nor encouraged by me, anyone I work with, nor my ferocious kittens. I highlight it here for analysis only.
At this point, most of us use some form of online banking. Part of the “security” on these sites is a series of questions like:
- What is your mother’s maiden name?
- What was your high school mascot?
- What is your favorite color?
- Where did you go on your honeymoon?
- Who is your favorite author?
- What street did your best friend live on in middle school?
I suspect you see where I’m going with this…
Take a quick spin around your friends’ profiles on Facebook.
No, go ahead. I’ll be here when you get back. Seriously, I’m not going anywhere.
Now, how many of those questions were you able to answer?
- Almost every married woman I know has her madien name in her profile. After all, their high school friends have to be able to find them. Check.
- I can’t find a single friend without their high school listed. Google does the rest. Check.
- Favorite color is a little harder to find but even if you have to guess, sticking with Roy G.Biv, should get 90% of them. Possible.
- Honeymoon is one of the easiest of all. If they’ve gotten married in the past 5 years or so, between Facebook and Flickr, they’ve most likely posted pictures. Or their friends asked “how was X?” Check.
- The vast majority of people have a favorite book or three listed. Odds are their favorite author wrote their favorite book, right? Probable.
- Alright, the last one is the hardest of all. Odds are that most people don’t have their street addresses from years ago listed, so you’ll have to dig deeper. If you limit yourself to Facebook, you might have to dig around in their apps or look up the best friend’s parent’s current address. It’s possible they haven’t moved. Unlikely.
Stop and think how much information we’ve just gathered in a matter of moments. We answered three of the six questions with barely a moment of effort. Even with lots of pieces missing, a potential identity thief – or that Nigerian prince – can find out a lot about you and make educated guesses on the rest.
And the most disturbing part to me personally: We can do this without the victim knowing that they’re a target.
Of course, if we write one of those stupid “how well do your friends know you” quizzes and send it to them, most likely we can find out the rest.. and the information from whomever they forward it to, so we get secondary targets with no effort. With a well-designed Facebook application – preferably one that asks “personality” questions – I bet I can get you to answer the questions for me.
That is the only time during this entire attack when someone might realize they were a target.
But since everyone else is filling out the quiz too.. will they notice? In fact, if you look at the “figure out your pornstar name” thread from a couple years back, many people believe it was a social engineering attack.
Unfortunately, there’s only one way to guard against this one:
Make up answers.
No, I’m serious. In fact, for security questions, the more nonsensical, the better. If you respond to “Who is your favorite author?” with “you know, that guy with the hair and the thing” do you think anyone knows or cares? If you respond to “What is your favorite color?” with “man, my toe hurts” how is anyone going to guess it? It’s not like Chase, Wells Fargo, Capital One, or whoever can validate them.
As long as YOU can remember them, what does it matter?
I’ve also submitted some of this analysis as a Core Conversation to SXSW 2011 under the title “Shattering Secrets with Social Media“. If that sparks your interest, let me know as I’m turning it into a regular presentation for interested technology groups.