Today I'm going to go through my accounts and change the "forgot your password?" security questions for all of my accounts. Why? Because according to the recent findings of Herbert Thompson, the chief security strategist at People Security, if I don't I'm leaving myself wide open for identity theft.
Thompson performed a test to see if he could break into a casual acquaintance's bank account (with the victim's permission, of course) using only the most basic information about that person that can be found online. Well, he did it, and with very little difficulty.
The main snag Thompson ran into came with the bank's password recovery system. When he tried to recover the password for the bank account, it sent a confirmation email to the customer's e-mail account, which in this case was Gmail. When Thompson tried to obtain the victim's Gmail account password (through the "forgot your password?" feature), Gmail sent the confirmation e-mail to an old college account--but Gmail helpfully told Thompson its domain name. When Thompson clicked the "forgot your password?" link on the college account, that system's security procedure was to ask for some quick personal information, which Thompson easily found on the person's personal blog. That gave Thompson access to the college account, which led to the Gmail account and then to the bank account. Thompson says that the information he found on the person's blog could just as easily be found through Facebook, Myspace, a friend or relative's blog, or any number of sources that can easily be found through a Google search.
The biggest problem that I see is that people are too honest online. It's not just disclosure in their personal blogs, but in their account recovery questions, too. Most of the time a Website will give you a choice of password recovery questions such as "what is your pet's name?" or "what is your mother's maiden name?" Why not try to throw off any would-be hacker by giving false information? When it asks for your pet's name, give your address, or better yet, your neighbor's address. Since you can set your own answer to the security questions there isn't anything stopping you from typing in whatever answer you want. Just make sure it's something you can still remember, because then you would really be in trouble.
