Lots of discussion lately about risks of filling in quizzes on Facebook. This is merely a new example of an old problem:
Many websites, including banks, have gone to the practice of allowing users who have lost passwords to obtain access to their accounts through the use of “secret questions.” For years the classic secret question was “Mother’s Maiden Name.” Though there is now more variety in secret questions, they still represent a giant security flaw. Security guru Bruce Schneier has written many times about this issue, including this concise essay.
Serious attackers will often be able to figure out the answers by researching the subject–especially subjects who are indiscreet users of social media. This is even more risky today, with the popularity of quizzes on Facebook. Close friends or relatives inclined to access your accounts may not even have to do all that much research. They may already know the brand of your first car, or the name of your favorite elementary school teacher. At a minimum, protect yourself by never giving a real answer when you set up a “secret question.”
Why do banks and other online entities like to use such insecure techniques? From their point of view, it’s better than having to deal with an angry customer who has lost his password. Any losses the practice may cause are an “externality,” a cost not born by the bank.