How much wood would a woodchuck chuck if a woodchuck could chuck wood?
Think carefully before you answer. The question is from the password retrieval system for Virgin America's Elevate frequent-flyer program, one of several a user may be prompted to answer in order to verify his or her identity. But it's not just Richard Branson's own quirky take on the standard "What's your mother's maiden name?" query, widely used for verification purposes by many banks and e-mail services. These days, security questions are getting more creative because they have to. As we make more and more personal information freely available online via our blogs, Facebook profiles, Flickr photos and Twitter, security questions based on biographical data are becoming less and less secure.
Vice-presidential candidate Sarah Palin discovered that last week when someone hacked into her Yahoo! e-mail account, email@example.com, after typing her username into Yahoo! and clicking "Forgot your ID or password?" According to an account of the breach by someone claiming to be the perpetrator, here's what happened next:
it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)...the second was somewhat harder, the question was "where did you meet your spouse?" did some research, and apparently she had eloped with mister palin after college...I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on "Wasilla high"
Bingo. The hacker read Palin's e-mails and, soon, after, screen shots appeared on Wikileaks, a website dedicated to posting leaked government and corporate documents.
"This is an attack that any 17-year-old in America could have mounted," says Ariel Rabkin, a doctoral student at the University of California, Berkeley, who has studied and written about online security, including a paper subtitled "Security Questions in the Era of Facebook." Rabkin adds, "You could do it in your living room drunk on the spur of the moment."
Hence, the growing trend toward more arcane and occasionally bizarre password retrieval questions. Sign up for an MSN/Hotmail account and you can choose from "Who was your best childhood friend?" "What was your grandfather's occupation?" or "Who is your favorite historical person?" The questions for a Citibank MasterCard account are even odder, bordering on the absurd: "Who was your archrival growing up?" "If you needed a new first name, what would it be?" and "If you could control your height, how tall would you be?" Even if a person can answer those questions, there's no guarantee the answer will be the same the next time around. (One Citibank query, for example, is "Which foreign country would you like to visit?" But the answer might well change a year later, after you've made that trip to New Zealand.)
Last year, the Federal Communications Commission passed a rule prohibiting landline and cellular phone companies from asking biographical questions for password retrieval, following the disclosure that computer company Hewlett-Packard was using the information to gain access to industry journalists' phone records a technique known as "pretexting." Still, e-mail providers like Yahoo! and many online banking services haven't stopped using biographical questions, even as much of this information is finding its way online.
Coming up with a fail-safe system is not easy. "A good question for me might be an inexplicable question for you," says Rabkin. "It's hard to find ones that are good for everybody." Security answers have to be obscure enough that they're unguessable, while still familiar enough to the user that they won't be forgotten. And they can't be information that is easily obtainable. "Who did you buy your house from?" used to be a great question used by some banks. Although real estate sales information is public, says Rabkin, "it used to be public in the sense that you had to go down to the deeds office and look it up." Now, often all it takes is a few mouse clicks.
For that reason, fact-based questions are declining in popularity vs. those that relate to the user's preferences. But even preference questions aren't foolproof. Your favorite book? Fine, unless it's the Bible, in which case it's easily guessable. Your favorite album? Fine, unless it happens to be mentioned on your Facebook page.
Palin's security questions, it turns out, were some of the most commonly used online. "You could argue that she was dumb for picking these questions and providing her correct information," says Markus Jakobsson, a principal scientist at the Palo Alto Research Center, a subsidiary of Xerox. "But we shouldn't judge her on her ability to make security-related decisions ... This is not about Yahoo! This is about industry failure." (Jakobsson is currently developing a security system that prompts users to answer a battery of preference questions when they establish an account. If they forget their password, users must answer a certain percentage of their preference questions correctly to retrieve it.)
For now, some Internet security consultants advise choosing answers that are correct, but with a twist, which could be as simple as a few numbers at the end of a maiden name, or a pet's name spelled backward.
So next time you set up an online account and are asked your pet's name, don't just say it's Max one of the most popular dog names in the U.S. and one that a motivated hacker might guess. Say it's Xam2008.