Don't let a "stripper name" quiz hand hackers the keys to your financial accounts
  • Malyca@lemmy.zipEnglish
    13·
    17 hours ago

    Did people not know this? I feel like we collectively went through it with the boomers at least twice in the past 20 years.

    • setsubyou@lemmy.worldEnglish
      3·
      14 hours ago

      I always thought security questions were dangerous, but I did in fact not know that quizzes that exploit them exist in the wild.

  • Zwuzelmaus@feddit.orgEnglish
    20·
    1 day ago

    By wrapping standard bank security questions, like your mother’s maiden name, your first pet, or the street you grew up on

    These questions have made me wonder ever since I first saw them. So I want to ask you all:

    Do you take them for serious?

    It seems a cultural difference maybe, but I could never remember what I have answered to one of them. I don’t even know the true answers to most of them, and if I know it, then I would still not want my bank to know it.

    The only way where this kind “security” makes sense to me is when I can freely type in both the question and the answer. Then I choose a question that does not make sense to most other people, only to me personally, and then I won’t ever forget the answer.

    • skaffi@infosec.pubEnglish
      7·
      17 hours ago

      As long as you can choose the answer, you can also choose what the question really is. You can just decide that questions about your mum’s maiden name are actually asking you about the last name of the doctor that delivered your first born.

      Or, better yet don’t tie security to personal or externally verifiable information about yourself. In the one or two cases, in recent years, where I’ve had to fill out such (in)security questions, I’ve just treated them as additional password fields, where I just create additional fields for them in my password manager, and generate long, random responses as their correct answers. Why yes, my mother’s maiden name is Correct7Horse@Battery!Staple, why do you ask?

      • setVeryLoud(true);@lemmy.caEnglish
        2·
        3 hours ago

        I once did that, and had to spell out a 32 character alphanumeric password with special characters over the phone lol

      • Zwuzelmaus@feddit.orgEnglish
        1·
        14 hours ago

        additional password fields, where I just create additional fields for them in my password manager, and generate long, random responses

        Such hassle…
        I guess it means yes, you take that stuff for serious.

    • teyrnon@sh.itjust.worksEnglish
      11·
      20 hours ago

      Big tech companies don’t accept security questions to log into email. Like you log in correctly, they do the security questions, make you answer them correctly, then still don’t let you in unless you link a phone number, even if you never gave them one and never agreed to.