Security questions, secret questions and password reset questions. As the Swedish saying goes, “A dear child has many names.” You are probably familiar with the concept of security questions and have stumbled across it when using various online services. Answering questions about your mother’s middle name and the street you grew up on is sometimes part of the password reset process. What if you happen to live in a country like Sweden, where this type of information is public? We have taken a closer look at security questions and what happens when they are used in different countries with different approaches to public information.
Taking over a PayPal account
The concept of security questions has been questioned for a long time. Let’s start with this video just to demonstrate how easy it is to fully take over a PayPal account in under a minute. Note that two-factor authentication (2FA) was enabled for the account.
The account was set up in Swedish, which is why the security questions are also in Swedish (The first question is “What was the name of your first school?” and the second question is: “What is your mother’s maiden name?”)
I set up the PayPal account when I was eight years old, buying toys from the Swedish equivalent to eBay. Security was not high up on my priority list and the security questions in the video are exactly the same as when I first signed up. I later enabled 2FA and changed the password, but had forgotten about the security questions. I doubt I am the only one guilty of this.
Sidenote: PayPal do notify you per email when you reset the password, but not when 2FA is bypassed.
In the video, after resetting the password, I am not prompted to change the security questions. I proceeded to reset my own account four times within 15 minutes without any hiccups.
This is not a issue limited to PayPal in any way, and it’s actually more of an introduction to this article than the point itself.
When US services go international
This is old news, everyone knows security questions are bad. If you have not tried to reset your own account yet (I totally recommend that you do!) you might not understand just how frightening it is, but you have probably heard others complain about security questions before.
However, the more specific issue we wanted to bring up here is what happens when a US-based service expands globally. Sweden (where Detectify is based) is just one of many countries where the approach to privacy and information is fundamentally different from that in the US. Data points that a US developer believes are only known to the actual user are not necessarily as private in other countries.
In the US, you would never use your phone number as a security question because anyone could look it up. However, you would have no problem using the SSN as a security question. Anyone who knows the SSN must surely be the legitimate user!
Secret security questions are not secret everywhere
When a service expands to a country like Sweden, things become a lot more complicated. In Sweden, it is often easier to find a personal identity number than a phone number, so using the former in a security question is not a good idea.
There’s more. In Sweden, everyone’s home addresses are publicly available and cannot be used in security questions. Until 2014 all driver license numbers, passport photos, as well as signatures, were public. Your yearly income? Still available. Car plate? Not a problem.
The only reason I know that these things are public in Sweden is because I live here. However, I have no idea what information is considered public in Russia or some other country, and neither does the average developer. The point I am trying to make is just how hard it is to understand what kind of questions you can use in different countries when you decide to expand internationally. And well, this is the internet – you are international as soon as you launch your service.
Putting security questions to the test
Companies known for working with security no longer use security questions to reset accounts. This includes, for example, Facebook, Google and Microsoft. There are, however, a lot of other companies out there…
Going through all the possible security questions on PayPal shows that only three of them use information that is not considered public by Swedish law.
Funnily enough, eBay (which owned PayPal for a long time) has chosen a different approach. An example of their questions is: First three words of your favorite quote? This is of course much more secure, but it isn’t very practical. If you reset your account ten years after first signing up for it, would you still remember what your favorite quote was at the time? I am not sure most people would. I ran into this exact problem with Skype while writing this post and trying to reset most of my accounts; their question was Who is your favorite historical figure? and as that account was set up around the same time as my PayPal account, I had no idea. In this case, the constant compromise between security and usability resulted in something that is neither secure nor easy to use.
At Amazon I failed to find any security questions in the profile settings, so I gave customer service a try instead. They quickly responded, but what they told me was not what I had expected.
It should be noted I never saw any security questions when actually trying to reset my account, so it is possible (and I hope) the support clerk was misinformed and this is just something they no longer use.
At Alibaba, the information in just three of the 13 questions is not public in Sweden. At first I suspected this to be due to cultural differences (what information you consider private), but I am quite sure one’s birthday is not impossible to find out in China either.
We could continue listing sites, but a pattern has already emerged. This post serves mostly as a food for thought. The nature of the information in security questions is clearly worth discussing, even though the year is 2017.
Mitigation
After recognizing the problem, how do we fix it?
By the user
The first thing is to try to reset your own accounts! Open up an incognito tab and go through the process for the most important sites. Make sure to enable 2FA when possible. Some services, Skype being one, actually disable security questions when 2FA is enabled and the 2FA in itself is perhaps even more important.
The general recommendation is to enter random answers to all security questions when signing up for new services, but with some reservation. It can be a good idea to generate pronounceable security questions, even words if possible. The scenario below is way too common:
*on the phone with support*
Support: So what is your answer to the security questions?
You: Oh, I just smashed my keyboard. It is just random characters.
Support: Haha, yeah I can see that. I have now reset your account.
Most password managers are able to save notes to sites in additional to passwords, so I recommend saving the answers to the security questions there.
By the website owner
Few ways of verifying a user are worse than security questions. Instead, use password reset sent over email or SMS as that is the most common and most reasonable approach.
Take inspiration from other services and note how they handle the reset process – you will probably discover a few things you can use instead of security questions.
Creds
Frans Rosén for brainstorming with and Naffy for initially bringing it up.