Monday, September 22, 2008

Governor Palin's Email: Security Questions in the Facebook Age

Think about how much information the average FaceBooker or blogger shares about himself online. Now consider this, Governor Sarah Palin's Yahoo! email address allowed a password reset by knowing the answer to three Security Questions:

What is your birthdate?
What is your ZIP code?
Where did you meet your spouse?

The answer took a few Google searches. Every celebrity birthdate can be easily found online. Wasila, Alaska only has one ZIP code, and Palin is known to have met her husband in high school. The last took three guesses, with the correct answer being "Wasilla High", according to the post on's /b/ board by someone calling himself Rubico --( and now confirmed to be 20-year-old David Kernell who, Republicans are pointing out, is the son of a Democratic State Representative in Tennessee.

Kernell used a publicly available anonymizing server called "Ctunnel" operated by Gabriel Ramuglia in Athens, Georgia to try to protect his identity while hitting the Yahoo! website. Ramuglia is cooperating voluntarily with the FBI, who gained the CTunnel IP address from Yahoo's logs.

Let's consider for a moment some of the other security questions that have been offered as "Security" to some of our accounts. I've complained about these for years, because many of them are trivial to find for even a moderately "online" person. But again, let's consider these in the Facebook Age, and take a moment to reflect on how absolutely broken they are.

Here's a set of Challenge Questions from a very large American bank:

In what city were your born?
What is your favorite hobby?
What high school did you attend?
What was your high school mascot?
What is your father's middle name?
What is your mother's maiden name?
What is the name of your first employer?
What is the first name of your first child?
In what city was your father born?
When is your wedding anniversary? (Enter the full name of month)
In what city was your high school?

What High School? Gee - Look at my account.
First Employer? Not hard to find on my LinkedIn page.
Mother's maiden name? Hello? I run a genealogy mailing list for that surname!
Pet's name? My daughter has created a "DogBook" account for our pet!

So, what do you do when they ask you for a security question? Lie. Be dishonest. DO NOT TELL THE TRUTH. Be imaginative! And then write down your security questions and put them wherever you keep your birth certificate and passport.

Pet's name? Sir Gallahad the Cat-Snuffer
Favorite movie? Pippi Longstockings
Month of your wedding? Octuary
Mother's maiden name? Mugillicutty

In other words - they force you to HAVE a security question, but PLEASE don't make it something the rest of the world can find out with a Google search.

Of course, its worse if you are a celebrity. Governor Palin, after all, has a biography written that will answer most of these questions. The more famous you are, or in some cases the wealthier you are, the more likely it is you will be targeted.

As an illustration, we have the story from back in 2001 of Abraham Abdallah. A 32 year old New York City bus boy. A high school drop out. Who happened to be working his way through the Forbes magazine "400 Richest People" list. At the time of his arrest he had impersonated many of these famous people simply by knowing enough about them to be able to pass a telephone version of the Security Questions above.

See: Forbes rich list falls prey to high-tech fraudster

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.