|Volume 9 Issue 7
|Hackers Can Break Into Your Online Accounts *Without* Guessing Your Password! Use This Simple Tip to Protect Your Email and Other Accounts
The problem: The answers to your Security Questions are probably not secure
You're on a website for your email, or a shopping or cloud storage account. You're trying to sign in, but you can't remember the right password. You click the "Forgot your password?" link, and type in the answer to a "secret question" or two (which you provided when you created the account long ago). Then you can set a new account password, and you're in!
Unfortunately, a thief or hacker can break into your account in exactly the same way. All they typically need is your email address plus enough information about you to answer your secret question, and then they can set a new password on your account. This not only gets them into your account (without having to steal or guess your password), it also locks you out!
In other words, depending on the account, the answers to your Security Questions can act like alternate passwords, giving a hacker a much easier way to break in than trying to guess or steal your regular password. And the bad news is that hackers may be able to find many of your answers online.
The simple solution: "Fictionalize" the answers to your Security Questions
How can you prevent this particular vulnerability from being exploited?
Some online accounts don't use Security Questions at all, so this technique doesn't work everywhere.
How do hackers find my answers?
You might think that the answers to your particular security questions could never be found online, but you would be surprised how much information is available about you. You may have posted some of it a long time ago (and no longer remember), and your friends and colleagues may have posted things about you without your knowing.
You might also think that some Security Questions are simply not vulnerable to research, like your favorite color or type of food. That may be true, but you might be surprised how ordinary your answers to such questions may be, and how easily they can be guessed (blue? Italian?).
Some of your personal information (your address, phone, birthdate, Social Security number, parents, children, roommates, medical information, etc.) is already easily found online. Google your name (or "buy social security numbers") and you'll see.
And then there's "social media." Facebook, Twitter, and LinkedIn are just some of the most popular sites. Your own profiles, articles you've written (or that others have written about you or your family or company), photos of you with family or at events you enjoy posted by you (or by other people), and class reunion records are just the beginning of online places that reveal information about you.
The key to this "fictionalization" technique is not to worry about the information about you that's out there on the internet. Instead, by removing it from your security answers and replacing it with nonsense, you can render it useless so it can't be used against you in this particular way.
Hacking into your accounts can be like a falling row of dominoes
One clever approach a hacker can take is to first break into your email account, and then use it to help them break into your other online accounts.
To break into your email account, often all a hacker needs is your email address and some information to help them answer one or two of your security questions. If that works, they can change your email password and gain access to your account.
Now they can break into many other online accounts you use, because when you click "Forgot my password":
In an unscientific survey of a number of popular online email and shopping and storage sites I conducted (which I won't list for security reasons), I found that most fell into one of the two categories above.
The good news is that the bank and credit card and investment/retirement sites I tested required more extensive information, including your SSN, account number, birthdate, etc. The bad news is that a determined and resourceful thief could probably answer those questions as well.
Where to go from here
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to firstname.lastname@example.org and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2015 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.