Email | Print    Type Size  -  +

On the Internet, everybody knows your dog's name

In the Facebook era, it's easier than ever for thieves to hack into your online accounts. One way to protect yourself: Secure security questions.

By Michael V. Copeland, senior writer
Last Updated: September 24, 2008: 12:02 PM ET

Photos
Hack my account, please! Hack my account, please! Hack my account, please!
Here's a sampling of the worst online security questions - and why they can be no-brainers to crack.
Gallery
What's everyone yelping about? What's everyone yelping about? What's everyone yelping about?
Or is it digging? Or ninging? Zyng-ing? A rundown of some Web 2.0 startups getting a lot of buzz, if not necessarily a lot of revenues.

(Fortune Magazine) -- If you suspected there were some security holes in all your password-protected online accounts - banking, e-mail, etc. - you would be right. And Sarah Palin, the Republican vice-presidential candidate who just had her Yahoo e-mail hacked, would agree.

But as the Palin episode shows, the weak link isn't the passwords themselves but those security questions you have to answer in case you forget the passwords. You know the drill. You set up an online checking account and answer questions about your high school mascot, the street you grew up on, and the name of your dog, which supposedly only you can answer. It's all safe as long as crooks don't have the answers, which now - thanks to blogs, Facebook, Twitter, and every other public forum people use to put every last detail of their lives online - they do.

Herbert Thompson says all he needs to break into a bank account is a person's name and place of employment - and about an hour, give or take. Thompson, of New York City consulting firm People Security, certainly knows more about hacking than your average Joe, but says that he - or an actual crook - doesn't need any special tricks, just patience and a facility with Google (GOOG, Fortune 500).

"Having the answer to biographical questions has quickly become the keys to the online kingdom," Thompson says. That is how the bad guys got into Palin's e-mail. Further proof of the value of this information, he points out, is that the black-market price of a set of answers to typical security questions for an individual is eight to ten times the price of a password. Passwords can change; basic facts of your identity generally don't.

If you have ever had someone successfully "phish" your bank account, you know what the cost is personally. But for the banks and merchants who are usually left holding the bag when an account is stolen, the loss is compounded.

Companies don't divulge what they spend on preventing such fraud, but the market for "identity-proofing" services is "safely in the billions," says Avivah Litan, a security analyst with research firm Gartner. "So you can imagine what is at stake, and these kinds of attacks are getting more widespread and increasingly sophisticated."

Is there a way to plug the security hole? Quite possibly. In Palo Alto, another security expert, Markus Jakobsson, is preparing to launch a new kind of security-question system. Dubbed Blue Moon Authentication, the application relies on preferences rather than discreet factual - and thus extremely Google-able - tidbits about you. With Jakobsson's approach, users are asked to answer whether they like or dislike, say, Chinese food, heavy-metal music, garage sales, tattoos, or cats.

"It's easy for you to remember whether you like Chinese food and dislike tattoos, because it's part of who you are," says Jakobsson, a principal scientist at the Palo Alto Research Center. "But it would be very hard for a random person to guess enough of the answers correctly to gain access to a password reset."

If a bank were to adopt a Blue Moon security system, customers would have to submit to a battery of questions about their tastes and preferences. (It's a pain- but presumably less painful than being robbed.) Anyone trying to get into an account without a password would have to answer a series of questions about preference. Getting 11 out 16 correct, Jakobsson says, proves with 99.5% accuracy that people are who they say they are.

Whether that claim proves true should be known soon. Jakobsson is trying to license the technology to companies that will build and ultimately manage the security system. He's in the throes of hammering out a contract with an "Internet company that practically everyone online in the country has an account with," he says. He won't give the company's name, but sources say it's probably eBay. Neither Jakobsson nor eBay (EBAY, Fortune 500) would comment, but word is that by March or April, eBay users and, perhaps more specifically, eBay's PayPal customers, will have the choice of using Blue Moon as the mode to identify themselves and protect their passwords.

"Will the bad guys adapt to the stuff that Jakobsson is proposing?" asks Herbert Thompson, who's a Blue Moon fan. "They will try, and they have huge resources to throw at it. But when it's compared to finding out the name of a dog, it would be a huge step forward from where we are now."  To top of page

Company Price Change % Change
Bank of America Corp... 16.15 0.00 0.00%
Facebook Inc 58.94 0.00 0.00%
General Electric Co 26.56 0.00 0.00%
Cisco Systems Inc 23.21 0.00 0.00%
Micron Technology In... 23.91 0.00 0.00%
Data as of Apr 17
Index Last Change % Change
Dow 16,408.54 -16.31 -0.10%
Nasdaq 4,095.52 9.29 0.23%
S&P 500 1,864.85 2.54 0.14%
Treasuries 2.72 0.08 3.19%
Data as of 12:50pm ET
More Galleries
50 years of the Ford Mustang Take a drive down memory lane with our favorite photos of the car through the years. More
Cool cars from the New York Auto Show These are some of the most interesting new models and concept vehicles from the Big Apple's car show. More
8 CEOs who took a pay cut in 2013 Median CEO pay inched up 9% in 2013 to $13.9 million. But not everyone got a bump last year. Here are eight CEOs who missed out. More
Sponsors
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.