Don’t do your dough
Nothing brings a subject into focus with greater clarity than having it happen to you! And so it was in my case when my wife advised me of a strange phone call she had just received. The call had almost certainly come from an off shore location because of the callers accent and control of English and because the call was on a poor connection that failed three times but was re-established each time by the caller. The caller claimed to be a representative of the bank we use and wanted to confirm my wife’s credentials for security reasons. Now at that point of the story my concern went into overdrive. However my wife, who had heard me pontificate about the dangers of the web and general online security, did for once remember my warnings and was careful in her conversation.
The caller offered proof of her identity by quoting the last four digits of my wife’s credit card. Again alarm bells rang for me. Those numbers are widely available and used for many purposes. They are frequently quoted in emails by those who have legitimate financial dealings with you and your card. So that diminishes that proof to almost junk value. However, when quizzed the caller explained that the credit card in question appeared to have been duplicated and used in London to buy an airline ticket. The fact that the caller wanted to renew my wife’s identity over the phone in such an uncertain manner, which even concerned my wife, who is not the most security conscious person, had her terminate further discussions with the caller. I suggested she immediately call our bank’s security branch and establish the real status of the situation. As things turned out, yes it was true that her card had been used in London a short time ago. What rang the alarm bells at the bank was that the next transaction on the card was for a withdrawal from an ATM at our normal shopping centre. Plainly, that card could not be in two places, and continents apart, at the same time.
Not knowing the details of this hack I suggested that my wife also change, not only her password but also her security question answers. The latter have always concerned me because they were never particularly secure. I am sure you are familiar with the common versions of these; almost without fail the first one of these is “What is your mother’s name?”, followed by gems such as your favourite drink, first pets name, the school you attended and many more in similar vein and all publicly traceable. Now to be fair those who record the answers to those questions realise that we are a very forgetful lot, sometimes verging on doddery, when it comes to this kind of mental recall. So let us build the plain language algorithm for the questions first and then try to make them doubly secure in their answered form.
So what makes a good security question? First and foremost, you will want to pick a security question that is very hard to guess or find out, both for strangers and for people who know you well. On the other hand, the answer should be easy to remember for yourself. Keeping in mind that you may have to answer the question in a few years from now, the answer shouldn’t change over time or at least you should be able to answer it correctly in the future.
In summary the first basic principles therefore are: 1)Hard to guess or find out; 2) Easy to remember; and 3) Doesn’t change over time. Based on these basic principles, you can create fairly good security questions. When you add additional criteria, however, your question will become even more robust. For example, an ideal security question has many potential answers but in alignment with principle 1, only you know the true answer. Also, while the answer should be hard to guess, the answer should still be short and simple, otherwise it’s probably not easy to remember.
Finally, in order not to undermine principle 1, you should never accidentally answer this question anywhere. This could be a conscious effort or you simply choose a question that no one would ever think of asking even for fun.
To summarise, these are additional criteria for secure security questions: (a) The question has many potential answers but only one clear to you (principle 1); (b) the answer is short and simple (principle 2); and (c) the question is unlikely to be asked randomly, for example in a game (principle 1).
So what should good security questions look like? Good examples are hard to give because ideally, they will be very personal and not generally applicable to a lot of people. Nevertheless, below are three examples and why they make for good questions.
Q: What is the name of the teacher who gave you your first A? If you ever got a particularly good or bad grade, you likely remember the subject and teacher. Unless you boasted about it, this detail will be very hard to find out for someone else. Alternatively, if you never received that particular grade, the answer could be nonsensical, such as ‘never happened’.
Q: What is the name of the city where you got lost? Provided this is a vivid memory, this makes for a great question, provided it’s not a story you have shared far and wide. Generally, events you are ashamed of and never told anyone about make for a great security questions.
Q: What is the name of the person whose middle name is Maria? Since most people are not very fond of their middle names and don’t typically use them online, this answer is hard to find out or guess.
So what should good secure answers look like? Here I am going to borrow from Danah Boyd because her answer deserves repeating. Questions with true answers can always be answered somehow. To really increase security, especially on sites that don’t offer a custom security option, you can do what blogger Danah Boyd of Apophenia recommends and create your personal algorithm for security questions. In other words, you create a master key for security questions that functions as an answer. That way you only have to remember the master key to answer any security question you will ever set up or meet. The algorithm would look something like this: [Snarly bad attitude phrase] + [core noun phrase] + [unique word] Although these need not be the actual phrases, let’s map them for example: [Snarly bad attitude phrase] equals stupid question, and [unique word] equals Booyah. Thus, when you are asked : “What is your favourite sports team?” The answer would be :”StupidQuestion SportsTeam Booyah.” And when they ask:” What was the first car you owned?” The answer would be:” StupidQuestion Car Booyah”.
Being whimsical I may be tempted to substitute Broncos and Ferrari for the above core nouns. When you use this system be original. If everybody uses the words here then cracking the code would be a cake walk. Being intelligent, when using the analysis of good question structures and the algorithm equation, one should be reasonably secure. And on reflection you realise that the question and answer examples are interchangeable.
From the above you can see why I have reservations about the mandatory PIN introduction, but that is another story. Whatever you do please take security very, very seriously; particularly on the web.
