By Bill Pytlovany
My mothers maiden name was Sullivan, my first pet was named Snoopy, my fathers middle name was Joseph and I was born in Schenectady, NY. I can tell you because I would never use real answers in any so called security questions. While it’s handy when forgetting your password it’s the easiest way to have your password reset and stolen.
Yes, companies still use these questions with answers that are publically available and having numbers, letters and special characters in your password won’t help you. Truth is programs that keep trying different word combinations are obsolete. Your password will most likely be incorrectly stored and stolen by someone you do business with or figured out using data in the password security or “challenge” question.
Remember when Sarah Palin’s Email was compromised? It wasn’t some brilliant hacker, it was someone who Google’d where Palin attended high school.
So are there really companies that still use predicable and lame questions? I won’t say who but the following were actually from a banking site.
And people wonder why I don’t list my birthday on Facebook?
The Results
So what typically happens when someone get your Email and password?
First it’s usually not personal. Once your Email is compromised it’s entered into an automated program. The program will log in and collect all the names and Email addresses from your contact list. It could be on AOL, GMail or Outlook; your address book is easy to access programmatically.
It won’t be long before the program breaks up your contacts and sends them all an Email with either a link to malware or something as benign as an advertisement for Viagra. It could just be an ad because these guys could be earning a couple cents for every view. Since it’s all automated it could add up to thousands of Euro a month.
This post is excerpted with Bill’s permission from his blog
