Text By C. Scott Wyatt
et you can’t recall your first car! Remember where you and your partner had your first kiss? How cool was your school mascot? Which movie have you watched at least 10 times? Tell us about your favorite childhood pet.
The questions are posted on Facebook by radio stations to which you never listened. In reality, these posts are often fake, generated by hackers.
Some of the question memes on social media obviously target common passwords and security questions. Others are creatively worded to mask their intentions.
And then there are questions that take social engineering to its highest level, asking people to tell stories and share opinions that we want to share with friends and family.
Social engineering relies on our fears, desires and social impulses to gather information. As a security expert observed years ago, hacking and marketing aren’t that different.
Many online services ask security questions when you create or update online accounts. Back in the 1980s and ’90s, before we posted volumes about ourselves on social media, these questions worked fairly well for identity verification.
One security question might be easy for hackers to answer, but three questions presented a challenge. Who would know your mother’s maiden name, father’s place of birth and your high school team mascot?
Earlier this year, LinkedIn had most of its user profile information stolen. Although passwords were not accessed, hackers quickly used the data from accounts to create data-informed access scripts.
Our social media accounts, particularly Facebook and LinkedIn, contain the types of information used to create memorable passwords. For too long, I created passwords that I could easily recall and fell into the same patterns as most people.
Believe it or not, researchers found that the top 10 passwords were variations of “password” and numbers entered in order. Mark Burnett, founder of XATO Information Security, analyzed 10 million hacked passwords, expecting to find patterns. Instead, he found millions of accounts that used “password1234.”
The more complex password patterns Burnett’s research identified included favorite sports, favorite fictional characters, spouse names, anniversaries, graduation years, pet names, vacation places and other personal trivia. Yes, “football” followed by a team name was in the top 50 patterns.
So were variations of Jennifer, Superman and Harry Potter.
Reflect on your own password choices. Are they combinations of data that you’re sharing on social media? Are you giving away the keys to your online accounts?
If you’re not using two-factor identification for accounts, activate it now. This process uses your smartphone to verify your identity, instead of simple security questions. Also, don’t rely on simple passwords. Use the auto-generated passwords created by Apple, Microsoft and Google.
What seems like a fun game can soon lead to a stolen identity. Don’t fall for the social engineering tricks.