Email | Print    Type Size  -  +

On the Internet, everybody knows your dog's name

In the Facebook era, it's easier than ever for thieves to hack into your online accounts. One way to protect yourself: Secure security questions.

By Michael V. Copeland, senior writer
Last Updated: September 24, 2008: 12:02 PM ET

Photos
Hack my account, please! Hack my account, please! Hack my account, please!
Here's a sampling of the worst online security questions - and why they can be no-brainers to crack.
Gallery
What's everyone yelping about? What's everyone yelping about? What's everyone yelping about?
Or is it digging? Or ninging? Zyng-ing? A rundown of some Web 2.0 startups getting a lot of buzz, if not necessarily a lot of revenues.

(Fortune Magazine) -- If you suspected there were some security holes in all your password-protected online accounts - banking, e-mail, etc. - you would be right. And Sarah Palin, the Republican vice-presidential candidate who just had her Yahoo e-mail hacked, would agree.

But as the Palin episode shows, the weak link isn't the passwords themselves but those security questions you have to answer in case you forget the passwords. You know the drill. You set up an online checking account and answer questions about your high school mascot, the street you grew up on, and the name of your dog, which supposedly only you can answer. It's all safe as long as crooks don't have the answers, which now - thanks to blogs, Facebook, Twitter, and every other public forum people use to put every last detail of their lives online - they do.

Herbert Thompson says all he needs to break into a bank account is a person's name and place of employment - and about an hour, give or take. Thompson, of New York City consulting firm People Security, certainly knows more about hacking than your average Joe, but says that he - or an actual crook - doesn't need any special tricks, just patience and a facility with Google (GOOG, Fortune 500).

"Having the answer to biographical questions has quickly become the keys to the online kingdom," Thompson says. That is how the bad guys got into Palin's e-mail. Further proof of the value of this information, he points out, is that the black-market price of a set of answers to typical security questions for an individual is eight to ten times the price of a password. Passwords can change; basic facts of your identity generally don't.

If you have ever had someone successfully "phish" your bank account, you know what the cost is personally. But for the banks and merchants who are usually left holding the bag when an account is stolen, the loss is compounded.

Companies don't divulge what they spend on preventing such fraud, but the market for "identity-proofing" services is "safely in the billions," says Avivah Litan, a security analyst with research firm Gartner. "So you can imagine what is at stake, and these kinds of attacks are getting more widespread and increasingly sophisticated."

Is there a way to plug the security hole? Quite possibly. In Palo Alto, another security expert, Markus Jakobsson, is preparing to launch a new kind of security-question system. Dubbed Blue Moon Authentication, the application relies on preferences rather than discreet factual - and thus extremely Google-able - tidbits about you. With Jakobsson's approach, users are asked to answer whether they like or dislike, say, Chinese food, heavy-metal music, garage sales, tattoos, or cats.

"It's easy for you to remember whether you like Chinese food and dislike tattoos, because it's part of who you are," says Jakobsson, a principal scientist at the Palo Alto Research Center. "But it would be very hard for a random person to guess enough of the answers correctly to gain access to a password reset."

If a bank were to adopt a Blue Moon security system, customers would have to submit to a battery of questions about their tastes and preferences. (It's a pain- but presumably less painful than being robbed.) Anyone trying to get into an account without a password would have to answer a series of questions about preference. Getting 11 out 16 correct, Jakobsson says, proves with 99.5% accuracy that people are who they say they are.

Whether that claim proves true should be known soon. Jakobsson is trying to license the technology to companies that will build and ultimately manage the security system. He's in the throes of hammering out a contract with an "Internet company that practically everyone online in the country has an account with," he says. He won't give the company's name, but sources say it's probably eBay. Neither Jakobsson nor eBay (EBAY, Fortune 500) would comment, but word is that by March or April, eBay users and, perhaps more specifically, eBay's PayPal customers, will have the choice of using Blue Moon as the mode to identify themselves and protect their passwords.

"Will the bad guys adapt to the stuff that Jakobsson is proposing?" asks Herbert Thompson, who's a Blue Moon fan. "They will try, and they have huge resources to throw at it. But when it's compared to finding out the name of a dog, it would be a huge step forward from where we are now."  To top of page

Company Price Change % Change
Ford Motor Co 8.29 0.05 0.61%
Advanced Micro Devic... 54.59 0.70 1.30%
Cisco Systems Inc 47.49 -2.44 -4.89%
General Electric Co 13.00 -0.16 -1.22%
Kraft Heinz Co 27.84 -2.20 -7.32%
Data as of 2:44pm ET
Index Last Change % Change
Dow 32,627.97 -234.33 -0.71%
Nasdaq 13,215.24 99.07 0.76%
S&P 500 3,913.10 -2.36 -0.06%
Treasuries 1.73 0.00 0.12%
Data as of 6:29am ET
More Galleries
10 of the most luxurious airline amenity kits When it comes to in-flight pampering, the amenity kits offered by these 10 airlines are the ultimate in luxury More
7 startups that want to improve your mental health From a text therapy platform to apps that push you reminders to breathe, these self-care startups offer help on a daily basis or in times of need. More
5 radical technologies that will change how you get to work From Uber's flying cars to the Hyperloop, these are some of the neatest transportation concepts in the works today. More
Sponsors

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.