It’s difficult to fathom how a list of the 20 most popular dog names could have evolved into a potential tool for identity theft. Such, however, is an oddity sprung upon us by the challenges of online password management.
When you register for an account on the Web site of a financial institution (or other secured site) today, you are often required to register answers to a series of personal questions, sometimes referred to as “life questions.” These questions–familiar to many of us–support a form of emergency authentication. When you lose or forget your password, the Web site prompts you to answer one or more of the life questions you have registered.
Here are some (reworded) examples drawn from several popular sites:
1. What was the name of your first pet?
2. What was the make of your first car?
3. What was is your best friend’s first name?
4. What is your mother’s maiden name?
5. In what city were you married?
6. What is the first name of your maternal grandmother?
7. What is your favorite hobby?
8. What was your high school mascot?
9. What is your birth date?
A security system is only as strong as its weakest link. The security of online accounts depends critically on the quality of their life questions. So how hard is it for an identity thief to circumvent password protections by feigning a lost password and targeting a Web site’s life questions?
There are a number of ways to characterize the security of a particular life question. Two key measures are: (1) The difficulty of guessing the answer based on general knowledge and (2) The difficulty of learning the answer by mining public data-repositories.
Guessing: Consider the question “What was the make of your first car?’ Until 1998, Ford Motor Company controlled a market share of more than 25% in the United States. Thus, an attacker in the U.S. who guesses the answer “Ford” can score high odds of success–roughly 1 in 4.
Similar in nature is the question “What is your best friend’s first name?’ At first blush, this may seem an excellent security question, based as it is on information largely unavailable to strangers. 1990 U.S. Census data, though, reveal that if your best friend is male, there is nearly a 10% chance that he’s named James (Jim), John, or Robert (Bob or Rob)–the three most common given names. (Women’s names are slightly more diverse.)
Many sites lock down accounts after several failed login attempts. Thus it may seem that life questions guessable with relatively small odds–say, 1%, if not 10%–offer sufficient protection. Identity thieves, though, need not confine their attacks to a particular account. They can sweep through many thousands. Even small odds of successful guessing offer limited defense against such en bloc attacks.
Mining: “What is your mother’s maiden name?” is a universally popular security question. Researchers at Indiana University studying public data in the state of Texas as an example, though, were able to learn the answer for over four million people, about 20% of the state’s population. In the same vein, clues to the question “In what city were you married?” abound in public data repositories for marriage licenses and wedding notices. Online genealogical databases can help uncover the names of parents and grandparents.
Aggravating such vulnerabilities is Internet users’ growing penchant for publishing personal information. Among students recently studied at Carnegie Mellon University, for example, a large majority posted private information on a (CMU-restricted, but illustrative) social-networking site. This information included birthdays, high schools, and hobbies, facts bearing directly on the sample life questions listed above.
The security vulnerabilities of password systems are well documented. People often chose their passwords poorly, and happily divulge them to strangers in exchange for frivolities like chocolate and gift certificates. Life questions, though, have received scant scrutiny from the security community, despite rapid proliferation across the Internet. Many are no doubt weaker than passwords. Life questions could well emerge as a significant weak link in our online infrastructure.
So what do I do when I’m asked the name of my first pet? Despite his unusual name, I posthumously rechristen him with a jumble of numbers and letters that looks very much, in fact, like a strong password. I register this string of random characters as my answer, while silently offering up my apologies to Archimedes the hamster.