Tuesday, March 09, 2010
From banks to email programs, website developers need to create more complex security questions so users avoid the danger of identity theft. Researchers at the University of Cambridge and the University of Edinburgh found that current schemes used to keep unauthorized individuals from gaining access to personal accounts are too easy to break through. Right now hackers have about a 1 in 80 chance of figuring out answers to security questions if given three chances to guess correctly, a rate considered dangerously high by experts.
For instance, a commonly asked question on many websites involves giving the maiden name of the user’s mother. Because birth and marriage records are often available online, this type of security measure is far too easy to overcome, researchers insist.
They also determined that cultural diversity plays a role in making websites and online accounts more secure. Because of the melting-pot nature of U.S. citizens, American surnames were deemed the most difficult to guess, while surnames from Japan and South Korea, where populations are more homogenous, were much easier to figure out. For example, asking the name of a person’s childhood teacher may seem like a secure question, but not if the teacher’s name was Smith in English-speaking countries or González, Garcia or Rodriguez in those that speak Spanish.
The researchers recommend using more esoteric questions or requiring users to answer three separate questions.
-Noel Brinkerhoff, David Wallechinsky
What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions (by Joseph Bonneau, Mike Just and Greg Matthews, University of Cambridge) (pdf)
Comments