Useless Security Questions @ U.S. State Department

I just signed up with the International Exchange Alumni Web site of the U.S. State Department and stumbled over their security questions.

The following screen shot shows the options visitors have when signing up with the Web site:

Alumni-Website-State-Department-Security-QuestionOptions include:

  1. From which secondary school/high school did you graduate?
  2. In what city or town was your first job?
  3. What is the name of the university or college where you graduated?
  4. What is your father’s middle name?
  5. What is your maternal grandmother’s first name?
  6. What was the name of the city or town where you were born?
  7. What was your childhood nickname?
  8. What was your favorite pet’s name?

Now, what is the reason for this security questions? Let’s assume that I forget my password which, in my case, happens frequently as I do use different passwords on different sites (the recommended security practice). In this case, there will be a button where I can type in my email address and get presented the security question which i have selected during sign-up. If correctly answered, the Web site will generate a new password for me or allow me to reset it in some way.

What is the problem here? Well, let’s assume that somebody hijacks my email address, for example by breaking into my email account. If this person is interested in my business with the State Department, this person would now try to reset the password with the hope that, in combination with my hijacked email account, he or she would receive my new password.

Therefore, the hacker has to answer the security question correctly.

Let’s go back to the security questions and assume that a third person with access to my public profiles (e.g., Facebook, LinkedIn) or some Internet searching capabilities wants to hack into the account. How easy is it to answer these questions, assuming that I have answered them correctly during sign-up (which I have actually):

  1. From which secondary school/high school did you graduate?
    This is easy to answer with Facebook: I have provided “Berufsbildende Schulen Holzminden Georg-von-Langen-Schule.”
  2. In what city or town was your first job?
    Again, very easy to answer, a quick check with my LinkedIn profile, plus some searching for the company’s Web site, is sufficient: my first “real” job was with a company in Fuhlen, Germany.
  3. What is the name of the university or college where you graduated?
    That is super easy, it’s on my Web site, on Facebook, LinkedIn and XING: University of Applied Sciences in Bingen, Germany
  4. What is your father’s middle name?
    That’s a little more complicated. Requires a phone call to verify, I bet my dad would tell: he has no middle name.
  5. What is your maternal grandmother’s first name?
    I have no freaking idea. I just don’t know it as I have only met her when I was very young. I don’t know her name, but I bet it is relatively easy to find out. One or two days of phone calls.
  6. What was the name of the city or town where you were born?
    Again, very easy. You can find this information on my Facebook profile: Hamelin, Germany.
  7. What was your childhood nickname?
    This is a good one. Could be my little secret ;-), but is known to some good friends from childhood.
  8. What was your favorite pet’s name?
    Again, a good one, only known to insiders. Also, a good candidate for my little secret.

Out of 8 security questions, only two potential candidates. Less security savvy users might pick one of the other, less secure options.

There is some interesting reading available, for those implementing this type of security on Web sites:

Happy reading. Leave your comments.

Leave a Reply

Your email address will not be published. Required fields are marked *