Sarah Palin’s email account was “hacked” when some kid reset her password. All it took was correctly answering a challenge question, one that a trivial amount of research turned up.
Challenge questions are not there to make your account more secure – they are there to save the email provider from employing humans to reset passwords.
Apple has just released a new free Podcast app I want to install. It now refuses to install the app until I set up password reset challenge questions.
Ok fine. But like the stupid things many banks do, they don’t just suggest questions – they force you to answer their list of questions – not only weakening the security of other accounts that might work from similar questions.
The purpose of an iTune account is it is where you buy songs and apps. It’s connected to your bank account so that your children playing innocent looking games can loot your bank account buying clothes and pink unicorns in some make believe world.
Here is the list of questions Apple forces you to answer. How many of these could your parents, siblings or children answer?
- Group 1
- What was the first car you owned?
- Who was your first teacher?
- What was the first album you owned?
- Where was your first job?
- What was your childhood nickname
- Group 2
- Which of the cars you’ve owned has been your favorite?
- Who was your favorite teacher?
- What was the first concert you attended?
- Where was your favorite job?
- Who was your best childhood friend?
- Group 3
- Which of the cars you’ve owned has been your least favorie?
- Where did you and your partner *cough* go on your first trip together?
- Where was your least favorite job?
- In which city did your mother and father meet?
- Where were you on January 1, 2000?
There is no provision for making up your own question like “Do you think Steve Jobs was gay?”
If you provide an email account, they’ll even send that email account the answers to these questions.
Today, to “break into” my iTunes account (for what purpose?), you would have to know the email account I used, break that password, then break my current iTunes password. If you already have control of my email account, the password recovery will quickly hand over what you need to take over my iTunes account. My iTunes account is secure today specifically because I do NOT allow my password to be reset. If I have a stroke and become a vegetable and can’t remember how to find my password for this account, well, updating my iPhone apps is the least of my worries.
I wouldn’t be writing about this except that now it is FORCING me to set this up to “ensure the security of my Apple ID” which I have refused to do.
The subtext of all of this is probably – an increasing problem being faced is that when a person dies, their relatives are unable to get access to their email account archives (thank God!) and have trouble unwinding things like online subscriptions. An ISP won’t turn over control unless the relative provides a death certificate and proof they are acting as the executor of the estate. It’s so much easier if your sister just happens to know where your parents met, and they’re “in”. No paperwork.
Consider giving a deliberately incorrect answer to the offered “security” question (the chosen answer being completely unrelated to the subject of the question). Further, consider archiving that incorrect answer, and using that incorrect answer every time that specific question is asked. In that way, no amount of research can discover the “correct” incorrect answer, and your archived incorrect answer will allow you to “correctly” answer the question should the need arise in the future.
Exactly what I did 🙂
The other situation where this comes up happened recently. LinkedIn recently found a portion of their user list posted online, they unilaterally reset the passwords for all accounts they believed might have been compromised…
I never give me correct birthday on the internet, I do use the same incorrect birthday. As to the automatic subscriptions I try to avoid – just canceled Coast to Coast. I don’t hesitate to close accounts or even switch banks if necessary should problems not be resolved in the recurring billing process.
I have found myself trying to de-Apple my life (10+ iPods, 8 lap tops, 2 iMacs) the company is just to difficult to deal with – with attitude. Screw ’em.
I enjoy the flood of “Happy Birthday!” messages I get on January 1st each year. There is no legitimate reason to ask for a birth date online – ever (except possibly someone who may be 17 or 18 depending on the date – news flash: Kids know how to lie about their age).
If you work through the math, given a zip code and a precise date, there is probably only 1 person that identifies – you. The average person lives about 25,000 days – it’s an oversimplification, but that means out of a population of 25,000, on average one person was born on that Birth Date (not to be confused with Birth Day). Ask Male/Female and you narrow it down even further. It won’t take long then to directly connect who you are with only those 3 pieces of information.