Are Security Questions Secure?

Introduction

Over the past decade, if you've ever created an online account, you've probably encountered security questions like "What is your date of birth?" or similar queries. This type of verification is used for online banking, email services, government and healthcare portals, and subscription services, amongst others. But how secure are these questions? Unless you've been living under a rock or come from a remote island untouched by technology, your personal information likely resides on the internet or in public records. This is where OSINT (open-source intelligence) comes into play, simplifying the process of finding answers to your security questions. So, how exactly does OSINT operate?

What are the steps of the OSINT process?

The first step in OSINT involves identifying a target, gathering basic information, and determining if the intended target has a social media presence. Additionally, investigators might inquire about the target's assets, such as cars or houses. Subsequently, the next step would be to make a fake account to look through ALL the target's social media posts, what friends the target has, and what communities they are a part of. Furthermore, research through public records, including housing, police, court, business/corporate, voting registration, licenses/permits, and public health records, for more information about the target. Even seemingly innocuous posts, like a picture taken outdoors, may contain clues that allow people to pinpoint the individual's location based on the sun's position, native plants, or recognizable landmarks like cell towers. With this information, people can triangulate where they are in the photo.

How does ThreatLocker employees fair against OSINT

To put OSINT to the test, an experiment was conducted with ThreatLocker employees. The results are as follows:

Questions that are easy to find:

• What year was your father (or mother) born?
• What is your mother's maiden name?
• What year was your father (or mother) born?
• What is your father's middle name?

Questions that can be found with a few guesses:

• In what city were you born?
• What is the name of your oldest cousin?
• What is the name of your first school?
• What is the name of the street you grew up on?
• What was the name of your elementary school?
• What high school did you attend?

Questions that could not be found:

• What was the make of your first car?
• What was your favorite food as a child?
• Where did you meet your spouse?
• What is your favorite movie?
• What is your favorite sports team?
• What is your favorite holiday destination?
• What is the brand of your first car?
• What is the name of your favorite childhood friend?
• What was the name of your first teacher?
• What is the name of your favorite pet?

How to mitigate OSINT

Government documents are nearly unavoidable unless you plan to live completely off the grid. However, you can minimize the impact of OSINT by refraining from sharing personal information on social media or changing your account settings to private.

How to improve security questions

As the future of security questions remains uncertain, individuals may wonder how to enhance the security of their chosen questions. To achieve this, people should steer clear of common questions, consider crafting their own unique questions (if permitted by the website), ensure that answers are complex and randomized, opt for questions not found on their social media profiles, and employ fictitious information for responses. The primary challenge lies in remembering these actions when needed. However, individuals can securely store these answers in a password-protected vault, such as Nordpass, Dashlane, or similar services.

‍