Security Awareness

We have already illustrated that security questions are not secure, but this will continue for some time to come. The problem is that a lot of security questions and answers use immutable facts which are akin to having a never-changing password used in many different places. It is disproportionate, to enforce a password policy of minimum eight characters, mixed upper case and lower case, and including numbers and symbols, then for someone to reset it using your first school, the name of your dog and your mother’s maiden name?

With every data breach, more information about individuals becomes available in the public domain. Combined with information that people are openly providing on social media, results in the answers to the majority of security questions, based on unchangeable historical facts, readily available for use. It is also likely that large quantities of stolen data from multiple sources are already correlated to build a bigger picture of individual people. If this is not already true, it is a safe assumption that it will be in the future. Here are some thoughts on how to adapt:

• The most crucial point is that for the concept of security questions to work, the questions and answers need treatment with the same level of importance as usernames and passwords. Remember that security questions can reset and override the need for passwords or PINs.

• Advice that people should use different passwords for different systems is ubiquitous; however, for security questions to have security value, the same approach needs to be applied. It is daunting to think of having 200 mothers and needing to change them all every 60 days, but it’s not that bad; having one mother and multiple maiden names is sufficient. Also having a mother who was once called ‘Miss Yr66£1&Ld’ is acceptable. It is amusing when asked to confirm this by telephone. What is not funny is it being accepted by phone after giving only the first three characters. Some systems treat the answers to security questions like passwords, and call centre staff must correctly type the answer to access customer data. This approach provided an extra level of security which prevents call centre staff from accessing customer data when the customer is not present on the call.

• Exercising a certain amount of security due diligence when being asked for information is essential and will require a judgement call to be made. What is reasonable and unreasonable is somewhat subjective, and companies should only be requesting the minimum information necessary to fulfil their purpose. Name and address are obvious requirements if you place an online order which needs to be delivered, but you would not expect to be asked for a date of birth when placing an order.

Companies are behind with the idea that someone can have a cat called ‘G8ssJe4£!’. Being asked once to pronounce his name was followed with an explanation that the answer to my security question needed to be factual and could I give the real name so they could update my records. Not having a cat made that close to impossible.

In part 1, we looked at how security questions are generally insecure for several reasons and highlighted some of the challenges that we face to improve security. The next step is to look specifically at suggestions for adapting to what are several broken business processes and inadequate IT solutions. We start with what happens when someone calls you and asks to take you through security questions – ‘What?! You called me!’

If someone calls you and tells you they need to take you through security questions, do not comply. If they are calling you, you should be the one confirming their identity. There are many approaches.

• Tell the caller that you will call them back. Always use a telephone number provided to you in official correspondence or use a publicly available contact telephone number for the company allegedly calling you.

• The caller may attempt to give you a telephone number to call. Never use this number. If the call is fraudulent, then the number provided will also be fraudulent.

• After the call, always make a call to a known number such as a family member or a friend. This action ensures disconnection from the previous telephone call. With some telephone systems, the connection remains active after hanging up. Picking up the phone and dialling a genuine number can result in a continuation of the previous call.

• If you receive a text message asking you to call your bank or another company about an urgent matter, never use the telephone number provided in the text.

• Even if the Caller ID shows up as a genuine number, that you recognise, it is worth following the same process to avoid faked Caller IDs.

There is an assumption that an organisation calling you has exclusivity over making sure they are speaking to the right person. You can test this yourself next time you receive a call by trying to take them through security. When they call you, ask them to confirm the 2nd and 5th digit of your customer number or some other obscure question which the caller would have access to if they were genuine. The point here is not to get them to comply, but to demonstrate that they will not comply. They will, however, try and insist that you comply.

The security is a failing in the way the business set up their processes, and it is so embedded in people’s thinking that this is the way the process works, that fraudsters can step in and mimic the process to obtain access to sensitive information. In recent years we have seen notifications from financial institutions stating, ‘We will never ask you for your PIN’. The next step on this matter would be for corporations to say ‘We will never call you and ask you security questions’.

In part 3, we will look more at security questions and how the entire security model around the use of security questions has a limited shelf life.

‘Can we take you through security?’ is a question we are all familiar with these days, but just how secure are the answers? There must be a point at which some become irrelevant such as mother’s maiden name and date of birth. With many companies asking for this information, it must sooner or later become challenging to remember who has what information. If we limit specific security questions to a particular profile of the company, such as mother’s maiden name only used for banking security, then its use would be somewhat limited and have more value.

While participating in an extensive information security improvement programme in the financial services sector, I met someone who had a creative solution to security questions. This lady had different mother’s maiden names for every company, and an alternative date of birth for any company she deemed didn’t have the right to know when she was born. As information security consultants, no doubt we all have variations on this theme.

Professionals in our field have endeavoured to diversify security questions but not without their own set of concerns and voiced frustrations. I refer to many instances where banks have called petrol stations to verify payment ownership and placed customers in a situation where they are unable to answer the questions; after the petrol tank is full. It certainly makes the account more secure, but there is a trade-off between security and availability/usability for the genuine customer. What shows up on the bank statement isn’t always the same as what the customer expects to see.  For example, a purchase from a store with a recognised brand name, but the transaction shows up as a registered company name. Customers asked about transactions from a company are unable to answer the questions. These types of security questions do make it harder to breach using a set of immutable facts, but the answers might not be readily available to be useful.

In one case, I knew I had purchased something from a pharmacy. The caller told me all the details of the transaction except the name of the chemist and wanted me to confirm the business name as a security question. There was no doubt in this case that the call was genuine, but I was not able to answer the question to their satisfaction. At a later date, I was able to see that on the bank statement it showed the personal name of the pharmacist and not the business name.

How often does someone call you, then asks to take you through security questions, followed by shock and surprise if you say ‘What? You called me! I need to take you through security’. In most cases, people respond by answering security questions; leaving them open to potential phishing attacks.

Understandably, many choose to store different mother’s maiden names, dates of birth and other random information for every service provider. Can you imagine the response you would get if asked for your date of birth and you said, ‘Give me a second, just opening my vault to check’, followed by ‘It’s a security question remember, everyone gets a different date’.

General observations are:

• Security questions reflect facts about someone, facts which never change. Use of these facts on a website which is subsequently compromised, the security questions become permanently insecure.

• Businesses request too much personal information which far exceeds the legitimate need for gathering and processing, and for the most part, people feel compelled to answer

• Security questions a far more valuable than passwords as they are often used to override the need for a password, such as when people forget their passwords

• Answers to the most popular security questions are often available through a combination of public records and social media websites

• There is so much personal information out there that it undermines the very notion of security questions

• Security questions are often so insecure that the only real solution is to use made-up answers and treat them like passwords

Using varied security questions based on very recent activity will improve security. However, in the case of creatures of habit, the correct answer as it was six months ago could still be valid today.

Ransomware is a frequently reported threat, and it may be only a matter of time before a significant attack takes place and impacts many individuals and businesses. Here are some basic behavioural changes to help protect yourself, your organisation, and your employer:

• Email Threat Awareness – DO NOT open attachments or click on links unless you trust and can verify the source. Malicious websites and infected attachments can install ransomware and encrypt your data.

• Patch Management – Keep your operating system and software applications up to date. Software vendors are continuously updating their software to remove identified vulnerabilities. If your software is no longer supported, consider switching to an alternative product.

• Pirated Software – DO NOT download software from peer-to-peer file sharing sites, including avoiding licence key generators and other software cracks. Threat actors alter versions of legitimate software to deploy malware. Also, as pirated software is unlicensed, security patches and further updates will not be available, leaving exploitable vulnerabilities in place. Worse still, so-called “security patches” from illegitimate sources may introduce additional malware.

• Anti-malware – Keep all malware removal and protection software up to date. If a website popup claims your system is infected, it’s likely scareware designed to trick you into buying fake security software that may itself contain malware. Use a trusted brand.

• Software Clutter Clearing – Uninstall software packages and browser plugins that are no longer required. Reducing software clutter lowers your attack surface.

• Software Whitelisting – Allow only pre-approved applications to execute, while blocking everything else by default. This deny-by-default approach helps reduce malware, intrusions, and the use of unauthorised software.

Ransomware remains a persistent threat, but with simple, proactive habits and a security-first mindset, much of the risk can be avoided. By staying vigilant, keeping systems updated, and being cautious with unknown sources, you can significantly reduce the likelihood of becoming a victim.