It’s human nature; most of us love to talk about ourselves or at least share details about our past and preferences. And social media loves that, too, since it gets people engaged and participating.
It’s not just scandalous material that can do you in. Quite the contrary. The most normal (even dull) aspects of your lives might cost you in the form of identity theft, compromised accounts or stolen funds.
Case in point, the first iteration of social engineering on Facebook came in the form of would-be humorous topics like “Your celebrity stage name is your mother’s maiden name plus the street you grew up on! Post the results in the comments!”
This was a blatant attempt to harvest the answers to security questions matching these details, and fortunately most people (in my circle) were too savvy to fall for this.
But the questions have gotten more sophisticated and less suspicious. I’ve noticed a significant uptick in Facebook questions that ask users to answer seemingly innocent questions one wouldn’t think could put anyone in danger.
One question invited commenters to post how many miles they live from the place they were born. While I live an undisclosed distance from my hometown and thus posting the answer to this wouldn’t necessarily identify said hometown (unless someone with a compass and map wanted to triangulate which cities lie X miles from my current location), anyone who answers “zero” places themselves at risk. One look at their Facebook profile to see what they listed as their current city, and now you know the answer to a very common security question: “What city were you born in?”
Another great example is the common question: “What was the first concert you attended?” Hey, who doesn’t enjoy reminiscing about wonderful experiences? Just take a moment to gush about how great it was seeing the Rolling Stones in 1971, and chances are that now people know you’ve probably answered “the Rolling Stones” to any security question inquiring about your favorite band or, yes, the first concert you’ve seen.
Same goes for “Post the name of a pet you’ll miss forever.” Chances are that was your first pet, so once you type in “Fluffy” (not the name of my first pet) there’s another security question someone can answer on your behalf.
I proved this to a relative who was skeptical of such dangers. I knew her favorite song was “Stayin’ Alive” by the Bee Gees. I also knew her email address. I went to the web portal for her email provider, entered her account name and clicked “Forgot Password.”
Guess which security question came up which I had to answer to reset her password? If you guessed “What’s your favorite song?” you win the prize for today. All I needed was that one bit of information. She was appalled, and I advised her to change that answer immediately. I did not actually reset her password.