On the Internet, everybody knows your dog's name
In the Facebook era, it's easier than ever for thieves to hack into your online accounts. One way to protect yourself: Secure security questions.
(Fortune Magazine) -- If you suspected there were some security holes in all your password-protected online accounts - banking, e-mail, etc. - you would be right. And Sarah Palin, the Republican vice-presidential candidate who just had her Yahoo e-mail hacked, would agree.
But as the Palin episode shows, the weak link isn't the passwords themselves but those security questions you have to answer in case you forget the passwords. You know the drill. You set up an online checking account and answer questions about your high school mascot, the street you grew up on, and the name of your dog, which supposedly only you can answer. It's all safe as long as crooks don't have the answers, which now - thanks to blogs, Facebook, Twitter, and every other public forum people use to put every last detail of their lives online - they do.
Herbert Thompson says all he needs to break into a bank account is a person's name and place of employment - and about an hour, give or take. Thompson, of New York City consulting firm People Security, certainly knows more about hacking than your average Joe, but says that he - or an actual crook - doesn't need any special tricks, just patience and a facility with Google (GOOG, Fortune 500).
"Having the answer to biographical questions has quickly become the keys to the online kingdom," Thompson says. That is how the bad guys got into Palin's e-mail. Further proof of the value of this information, he points out, is that the black-market price of a set of answers to typical security questions for an individual is eight to ten times the price of a password. Passwords can change; basic facts of your identity generally don't.
If you have ever had someone successfully "phish" your bank account, you know what the cost is personally. But for the banks and merchants who are usually left holding the bag when an account is stolen, the loss is compounded.
Companies don't divulge what they spend on preventing such fraud, but the market for "identity-proofing" services is "safely in the billions," says Avivah Litan, a security analyst with research firm Gartner. "So you can imagine what is at stake, and these kinds of attacks are getting more widespread and increasingly sophisticated."
Is there a way to plug the security hole? Quite possibly. In Palo Alto, another security expert, Markus Jakobsson, is preparing to launch a new kind of security-question system. Dubbed Blue Moon Authentication, the application relies on preferences rather than discreet factual - and thus extremely Google-able - tidbits about you. With Jakobsson's approach, users are asked to answer whether they like or dislike, say, Chinese food, heavy-metal music, garage sales, tattoos, or cats.
"It's easy for you to remember whether you like Chinese food and dislike tattoos, because it's part of who you are," says Jakobsson, a principal scientist at the Palo Alto Research Center. "But it would be very hard for a random person to guess enough of the answers correctly to gain access to a password reset."
If a bank were to adopt a Blue Moon security system, customers would have to submit to a battery of questions about their tastes and preferences. (It's a pain- but presumably less painful than being robbed.) Anyone trying to get into an account without a password would have to answer a series of questions about preference. Getting 11 out 16 correct, Jakobsson says, proves with 99.5% accuracy that people are who they say they are.
Whether that claim proves true should be known soon. Jakobsson is trying to license the technology to companies that will build and ultimately manage the security system. He's in the throes of hammering out a contract with an "Internet company that practically everyone online in the country has an account with," he says. He won't give the company's name, but sources say it's probably eBay. Neither Jakobsson nor eBay (EBAY, Fortune 500) would comment, but word is that by March or April, eBay users and, perhaps more specifically, eBay's PayPal customers, will have the choice of using Blue Moon as the mode to identify themselves and protect their passwords.
"Will the bad guys adapt to the stuff that Jakobsson is proposing?" asks Herbert Thompson, who's a Blue Moon fan. "They will try, and they have huge resources to throw at it. But when it's compared to finding out the name of a dog, it would be a huge step forward from where we are now."