Challenge questions are a common authentication method today but are they really all that challenging in today’s technology-based world? Are you really the only one who knows the answers to your life? Think about how much stuff is on the Wild Wild West (oh, sorry, more commonly known as the World Wide Web) about you on any given day. Ever take a look? No? Try googling your name. If you have a common name, use your birth city and state, or current city and state with your name and see just how much information is out there about you. You may be surprised. And yes, it’s true that once something hits the net, it’s there forever.
You may be very cautious about what you post about yourself on social media sites, and to those people I say kudos! But, even if you have your profile “locked down,” are your friends? If not, what they post or comment on about you is out there for the world to see, including those incriminating high school photos they tagged you in. Have utilities in your name? Are you in the phone book? Ever buy property? File a police report? That’s all public record. It’s a fact of life today – we are all pretty visible. So, let’s play one of my favorite games – “How do they defeat that security?” Below are just a few ways people can defeat challenge questions.
Have you considered what other people post online about you? Ever get an invitation to join a social media high school reunion site? Even if you decline, there’s a record of that invitation, which to the right people means you probably went to that high school (one challenge question defeated, let’s try another…)
Ever participate in TBT (Throw Back Thursday) posts? Amazing how many people post photos of their bad decisions and bad hair from the past, but that’s another blog…ever post one highlighting when and where it was taken? If said photo was during high school, it’s easy to do the math, look up the school on the net, and figure out who your high school mascot was (another one bites the dust).
Let’s shift gears: Genealogy websites are always running “free trial” offers. They don’t validate who is opening the account, so I could register claiming to be you and start running searches for things like mother’s maiden name and father’s middle name (two more defeated).
We could go on and on, but I think you get the idea. So, while we’re stuck with this form of authentication I have one suggestion for you. Ready? This is really good –
Lie; lie like a rug. Lie like you’ve never lied before. Just remember what lie you told or you’ll lock yourself out of your account! So have a plan.
Here’s what I mean – if a site requires challenge questions vs. more secure forms of authentication, select a question but don’t give the right answer. Yes, it’s really that easy! Have static, not true answers. Instead of “fathers middle name” I use my favorite guy’s name (no, I am not telling you!). For high school mascot, I actually chose a fury animal I don’t like (since I didn't like high school!).
Remember that with challenge questions you just have to provide
an answer, not the true one. It’s not a test; no one is verifying your answer is accurate, they just need a method to connect you to the account in question. So, while you too may have been raised to always tell the truth, I think everyone will understand these harmless, but oh so needed fibs given the high fraud world we live in today. In the end, I simply suggest you become more challenging.