The insecurity of security questions
April 20, 2012
This morning I discovered that one of my favourite bands had released a new album. As a loyal fan looking for some new music to listen to on a Friday in the office, I promptly clicked “Buy Album”.
Normally at this point the album will begin downloading, and thanks to the 100Mbps connection to my desk I’d typically be listening to the album in a minute or two.
Today this was not to be. Instead of my download beginning, a dialog box appeared with the text “To help ensure the security of your Apple ID, you must confirm your password and answer your security questions.”
I was puzzled as I already had a custom security question set on my account in the form of challenge-response. This type of security method is where I set my own question, and then respond with the appropriate answer that’s known only to me (and can be unique for each site).
Apparently this is no longer adequate for Apple, and I’m now being forced to enter three answers from their predetermined list of questions. Questions that if you know me, or even spend some time stalking me on social media you could probably figure out.
Let’s have a look at these questions and why they’re bad.
Answer #1 requires you to select an answer from one of the following questions:
- What was the first car you owned?
- Who was your first teacher?
- What was the first album you owned?
- Where was your first job?
- In which city were you first kissed?
Answer #2 requires you to select an answer from one of the following questions:
- Which of the cars you’ve owned has been your favourite?
- Who was your favourite teacher?
- What was the first concert you attended?
- Where was your favourite job?
- Who was your best childhood friend?
Answer #3 requires you to select an answer from one of the following questions:
- Which of the cars you’ve owned has been your least favourite?
- Who was your least favourite teacher?
- Where was your least favourite job?
- In which city did your mother and father meet?
- Where were you on January 1, 2000?
Why they’re bad
If you’ve used a social network like Facebook or MySpace you’ve no doubt seen those “fun” questionnaires that get passed around between friends. They contain questions like “What was the first car you owned?” and “Who was your favourite teacher?”. Guess what? Every single one of Apple’s “security questions” I have seen on social network questionnaires over the years.
I’ve never answered one, but I know plenty of people who have. If they use iTunes and in all likelyhood they do if they have an iPod, an iPhone or similar then they’re going to be vulnerable when Apple forces them to enter these insecurity questions.
Let’s look at some of the other questions. The first question from each list pertains to a car that I’ve owned, except I’ve never owned a car as I live in the city. This immediately excludes this as a possible answer for me.
Other questions ask “in which city were you first kissed”, along with the city where my parents met and where I was on January 1, 2000. It’s not hard to figure out that I was born in Sydney, I grew up in Sydney and I live in Sydney. Could it be possible that the answer to all three of these questions is “Sydney”? Great, these questions are also excluded and even if they weren’t, Apple doesn’t allow the same answer more than once.
We can exclude questions about teachers. I finished school quite some time ago, and don’t remember my first teacher’s name. The same applies to my favourite and least favourite teachers.
Now let’s move to questions about jobs. Many people include their entire work history on sites like Facebook, and to some extent LinkedIn. How do you figure out a least favourite job? Well, looking at a person’s tenure might be a good start. Skip.
That leaves two questions out of the 15 we started with. “What was the first concert you attended?”, and “what was the first album you owned?”. I absolutely love music, and own a lot of albums. I’ve been to plenty of concerts too both as an adult and when I was younger.
And that’s it. It’s not possible for me to answer Apple’s security questions.
How have I overcome this?
I went back to my original challenge-response authentication approach where I would usually set the question and the answer. Except in this case I selected three random questions out of the predefined questions, and entered seemingly random responses.
These responses are as good as a password and have no correlation to the original questions at all.
What should companies do?
Even if a company insists on having one or more security answers, the questions and answers should always be able to be specified by the customer or user.
If someone insists on using an insecure set of questions then that’s their prerogative and is no more secure than where we are now.
It does however allow a user who is more security minded to ensure that their account is indeed secure.
I leave you with a security question that I use elsewhere:
What is passphrase 284?
I can guarantee you won’t find that on Facebook, LinkedIn, or my resumé.