Posted on April 26th, 2018
During my live Cyber Keynotes, I discuss the ways that I would steal your online accounts, identify your recycled passwords, and craft and spoof unique phishing emails to infect your company’s network. Many of my audiences assume that all “hacking” occurs through large servers and hidden firewalls. In reality, I would prefer to attack you the easiest way possible. One abundant option is to use the public information you share on social networks against you. Consider the following selection of “security questions” required in order to create an Apple account.
The idea is that you choose a question, provide the answer to Apple, and then confirm the answer to them if you ever get locked out of your account. The reality is that anyone who can identify these answers online is one step closer to accessing your account. If you chose one of these options and provide a correct answer, and also happen to be one of 4 million people that take online quizzes at the Good Old Days Facebook page, I might be able to identify your answers quickly. Below are a handful of recent quizzes where people can share some fairly personal details.
If those did not help me, I would look on other Facebook pages to find the following posts where people respond with their personal answers.
The lesson here, which will be obvious to many, is to never provide real information within online security question challenges. When a service forces you to provide your first car, give them an answer completely unrelated to vehicles. Be sure to document this within your password manager.
On the OSINT side, we can get a bit creepy with the following searches on Facebook. The first identifies every user that has “liked” the Good Old Days Facebook page:
Next, we can isolate our query to display comments where a person replied “German shepherd” on a post from this same Facebook page:
The results include the following redacted post in response to “What was your first pet’s name?”
On the defense side, please revisit your security questions within your important online accounts. If the answers match the questions, and the details could be found online, change them immediately. On the offense side of the house, these online posts can provide valuable data for your investigations.