Sample Yahoo! security questions
How I’m going to use social networking to steal your identity.
I think about all my trusted advisors in real life: my attorney, my doctor and others. There are questions that if posed by my insurance agent, I’d react by getting up from the table, letting him know it’s none of his business. But in the spirit of connecting socially, I easily answer these same questions in a Facebook quiz. It’s a cathartic release, a confession. Sometimes it makes up for the close mouthed, private way I act in real life. I know it seems great to “share” with others. And social network communities are the perfect place to dive in. Somehow sitting alone at the computer gives us license to answer some very intimate questions.
So the first thing I’ll do to steal your identity is find out everything I can about you. I can take a quiz, as apparently 34 million others did and with almost 200,000 fans, for “How Well Do You Know Me”? I’ll find out your birth date, where you were born, the names of your parents, your spouse, and your children. And I’ll find out their birthdates. I’ll find out your hobbies and your interests. I’ll see who all your friends are.
I’ll read “25 things you didn’t know about me”. I’ll know what sports you like, what your middle name is. I’ll know what your favorite stores are. I’ll figure out where you live by seeing where you shop. Your grammar school and your high school will be listed. It won’t be long until I find out the name of your first pet. Oh look, you used to have a space between your two front teeth!
I’ll read what Greek god you are, what Sex In The City character you think you are and who is your celebrity twin. Then I’ll figure out your childhood nickname, in what city you met your significant other, the name of your favorite childhood friend, the street you lived on in third grade. It won’t be long before I know your oldest sibling’s birthday month and year, the middle name of your youngest child, your oldest sibling's middle name, the school you attended for sixth grade, and your childhood phone number including area code. You’ll have listed your oldest cousin's first and last name, the name of your first stuffed animal and the city or town where your mother and father met.
Your MySpace or Facebook Info page will tell me your email address and your employer. The “Who Are You Related To” will tell me all your relatives. It’s great to know what cities you’ve visited, so when I start using your credit cards I won’t set off any suspicious behavior.
Somehow or another, one of the eight thousand eight hundred and eighty four Facebook quizzes that everyone’s taken will provide me with the answers I’m looking for.
Because your bank, your credit card, your school, your payroll company and your employer might ask these security questions, I’ll read your blog so I can find out the first name of the boy or girl that you first kissed, the last name of your third grade teacher, where your nearest sibling lives and your youngest brother’s birthday. After reading your blog, even if I don’t have a direct answer to any of the security questions, I’ll know enough about you to start making really good guesses.
On LinkedIn you’ve listed the name of your elementary / primary school and the city or town where your first job was. I can see your college history and even all the people who connect with you doing business.
Even without all this data I could probably figure out what your passwords are. Most people use the same password for every web site. Here’s the top ten according to PC Magazine:
1. password
2. 123456
3. qwerty
4. abc123
5. letmein
6. monkey
7. myspace1
8. password1
9. link182
10. (your first name)
Didn’t have to do any research for those. And the default password usually included from your vendor will also let me try: sun123, Cisco, Alcatel, Kyocera, McAfee and IBM. A surprising number of people never change the password from the default after installation. If it’s a six character requirement I can guess, and likely be correct with shadow or summer. Eight characters? Then desklamp or portable. I’m guessing people start looking around when they have to come up with a password quickly. If the password requires a number, it is almost always “1”.
But unless you’re using a combination of upper and lower case letters, numbers and symbols in a random order, I can either try a top ten favorite from above or dig into your (not very) private life and figure out your password. Or if I can’t figure out your password, I can answer the security questions that let me reset your password to one I like. Then you can’t get in, but I can.
My first step will be to break into your email. Most of us have had our email addresses for a very long time, so it is likely the password we used was a product of that time period. I signed up for my Yahoo email when it came out, probably a decade ago. I wanted to grab my name before other computer savvy “shulkin”s did. These were eras with less security concerns about password strength.
I’ll do this hacking into your email account late at night, so when the notifications of password changes come in, I can delete them before you wake up and check your email. Hopefully you’ll have a folder in your email system called “passwords”. That will make the rest of this identity theft easier. And if there’s anything good in your inbox, I’ll read them and mark them “unread” before I go.
Once in your email system, I’ll crack your credit cards and bank. I’ll answer the security questions to change the password, “in case I forgot it”. Then they’ll send that notification to the email address and I’ll delete those too. I’ll know what web sites you subscribe to, so I’ll go on eBay, Hoovers and all your other resources. This will let me know more about you, as well.
My next pass will be to get into your cell phone account. You manage it on line, so I can get that password with security questions. I can look up all the phone numbers you get calls from and to whom you call. These friends of yours might be my next targets. Maybe your girlfriend is using a combination of your first name and your birthday as her password. Worth a try. It will still be hours before either you or she wakes up.
So if you wake up one morning and all your credit cards are cancelled or you’ve bought some airplane tickets or a nice HDTV (and had it drop shipped to an address one door down from yours where I’ll be waiting wisely informed as to when with the results of the record tracking on shipping); if your cell phone has ordered a bunch of custom ring tones or if your bank has had most of its funds transferred to my favorite charity, you’ll know that you answered one too many questions on that Facebook quiz.
Some things are meant to stay private. When you get on Facebook, stick to reminiscing about high school.
Comments
Hi Ron,
GREAT article!!! While I find that most of what people put on Facebook is pretty uniteresting, I do find a positive correlation between answering those quizzes and having free time to absolutely waste, or a negative correlation between answering the quizzes and having a life of value.
I personally NEVER muck around with those things (who has to time?), change my passwords regularly and use passwords that you cannot figure out. Common sense in a era of electronic voyeaurism and exhibitionism would go a long way IF people were to use it. Just ask Lindsay Lohan.
If common sense prevailed, Ron my man you'd need to find something else to write about, but instead, the quizzes keep coming, we keep deleting, and the identity restoration business is thriving.
Silly....
Thanks for raising a great topic and waxing poetic on it....
Identity stealers are bad enough - but criminal predators can find out far more than they should about your children as well. This was, in fact, the source cause of the death of myspace, their staunch refusal to do anything to reclaim their brand from the pedophiles and FBI shows who made it their unpleasant playground.
In actual fact, I think the popularity of the quizzes and nonsense wanes in close proximity to ones growing lack of interest in winning online arguments about politics and religion. Honestly I'd rather break my laptop in half than read the painful secrets of most facebookers. And when I do fill out a quiz it is 100% comic relief. Anyone trying to steal my identity thusly would know a great deal about the things I like to brag about to anyone who will listen, and will find me either painfully banal or totally hilarious, but I've been working online long enough to know better than to admit to anything truthful or private anywhere online.
As a nonprofit org that tracks and reports online job scams, we recognize how important it is to raise awareness about online safety and will be sharing this article with our readers. Thanks for the great read - these are things EVERYONE should know!
I've long thought that Facebook, et al, should come with a warning like those Las Vegas ads. What you post on Facebook stays on Facebook, forever!
Hi Ron,
Thank you very much for this information. This is very valuable and must know topic for everybody using social networking.
- Peter
A better solution would be to avoid using these idiot facts about you as passwords. Someday soon we'll stop using passwords anyway and have some alternative type of id. I just paid for my groceries (and got discounted prices) using my thumb print.
All this hype is non-sense....unless you're really stupid. In that case, stay off the internet.
Passwords are one of the few items that people forget open doors to a whole new world. There are very simple, easy to remember ideas that can help you plan a password.
I once used the first characters of a phrase so "what time is dinner tonight?" it becomes.. "WtIdT?" then I added a number at the beginning and the end and a 8 character password becomes = 9WtIdT?!
For an article on good passwords go to >> resourcema dot com/2009/06/01/how-to-choose-very-strong-passwords-that-are-easy-to-remember/
Steve Brown
Live Event Planners and Production marketers
www dot ResourceMA dot com
When my boyfriend set up my wireless connection he used all 36 possible characters in random order with upper case, lower case, and numbers all mixed in. One would have a better chance at winning the lottery than hacking into my connection. Besides that, anyone smart enough to try probably backs off when they see my connection name "FCC Tower #7".
<sarcasm>When it comes to security questions I know I'm safe. I haven't told anyone my mother's maiden name... um, except my whole family knows and probably half of the small town we live in...but I'm sure none of them would try to use any of my accounts!</sarcasm>
Thanks for the tips!
Great article!
U need to be the most jobless person in the planet to sit and go through that much of detail, if at all the person you are going through is so stupid.
Go get a life rather.
This is only fit for people who know nothing about being secure with their passwords.
If Raja (first comment) thinks that only jobless people would bother to go such lengths to steel personal information he is sadly mistaken. There are 'professional' identity thieves who _will_ go to such lengths and more to secure a identity because in the right (wrong?) hands it is worth a lot of money, and this applies just as much in the real world as to the internet.
Ron -
Thanks for shedding light on such an important issue.
The new ways people are finding to exploit personal information are amazing. McAfee also sheds light on many similar issues in their Stop H*Commerce documentary (stophcommerce.com) It's extremely important that people stay educated on how they can be put at risk online - especially with the social networking and social media landscape changing every day.
Keep up the good work!
Great article. His comment about confession and catharsis reminded me of a book by a Boston sociologist called "The Pursuit of Loneliness" and another book by a Jesuit priest called "Why am I afraid to tell you who I am?"
It is sad. I watch my son and his friends using technology to communicate, and to put up barriers to being hurt.
But then I realize that there is only one "safe" place. And even safety there is not free from suffering. And that is in the arms of Jesus.
Still, I thought that the article was informative and insightful.
I'm surprised to see that "sample" isn't in the top ten passwords. It was the example given in some of the Digital Equipment (remember them?) manuals. I had to spend a lot of time convincing people that "sample" was not the only available password! It took me "breaking in" to get the message across.
Great article. A more important reason to be careful besides the junkware that gets loaded when you answer one of these quizzes.
This would be good information, but I can get all the same info and more--and faster--by using zabasearch and docusearch, and those cover people who aren't even on the internet, let alone social networking! Advice like this gives people the impression they can protect their identity by being more private online, but it's just not true. Any ID thief with any experience is going to use websites like the ones I talked about, where you can get a SSN within half an hour, without ever trying to guess someone's pasword. Becoming a cyber-hermit might be a reasonable price to protect your identity, but only if it actually works. Sad news, it doesn't.
Great Article..People don't know when they give such kind private information via facebook or myspace..B'coz they never know how this information is use for Hacking..
"Hackers are very Smart"
east main st
jonathan g torres
296848797
9/30/1986
random address 150 dewey ave
lima, oh 45805
the86project@yahoo.com
lebowski my pass words for everything email/craighs list
torres.jg@rhodesstate.edu
torres g jon
728 second street
ottawa OH 45875
My moms address
sp413192
0212tp5428400000 dl number
All my dads info to he loves helping people
ruben m torres
215 orchard dr lt 3
leipsic oh 45856
b day 7/7/62
mexican m 5-11 height 195
bro eyes green
dl number r7305202
dl class d
ssn 293725864
I love helping others out!. Dirty your next
In general I advise users to not user general criteria for their answers.
My childhood pet? FB answer - Fudgey Lumpking the 3rd = real name - Huey
So on and so forth... bar codes (UPC) are a good idea, break them up with lettering.
For example: Generic Kleenex 4x10 200 Ct. = 36000 28201 - password created I36000d28201S
Simple things like this can prevent you from getting pwned in a world where you give all your information away.
Also, if you use, love, sex, god, abc123 or 12345 (luggage combination?) for your password, you deserve to have your information stolen and used for practical joking purposes.
The article and comments (so far) have missed one of the most obvious vulnerabilities. I can personally attest.
One morning I woke up before the garbage truck came, yet my trash was already gone. Trash can and all.
Getting all paranoid about online security is like moving into a gated community and leaving your doors unlocked.
You're pointing out a problem, but solving it in the WRONG way. Instead teach people how to create and use STRONGER passwords. This will protect them from other ways of infiltration, while still allowing them more freedom and fun on facebook. There is a value in freedom and we can't keep shrinking our freedom endlessly in the name of security by following "everyone's" "advice".. else taken to a logical extreme one day we'll all be told to stay in our homes under 24 hour curfew, for our own "safety".
Are you one of Kevin Mitnick's degenerates? Just Kidding. It's all true, but at the heart of it lies the real truth - the generalized stupidity of humanity which manifests itself almost everywhere else including the financial system and government.
Maybe if you get access to their work network you can set up false DNS records for all the top social networking and email sites that produce a "server error." "Oh well, somethings wrong with the internet" they'll say, "maybe I'll do some work now." And in an hour it'll all be back to normal and you'll have access to hundreds of accounts.
Interesting! Thanks for sharing. I was annoyed when ppl sent me the 25 Facts About Me quiz because I thought how does anyone have time to do that? This article brings more to light. Discretion and public profile are still important! Now, where the heck is my diary LOL!!! Whoops, they can get that too. Appreciate you. :)
Probably all true. Lets face it: there is no such thing as gravity, the world sucks! If they find out your name and they want you they will get you.
Lol!! I find it amusing people are acutallly blantantly foolish enough to fall for ANY of this!! Wow! I am refering of course, to the "quizes" that nearly everyone posts on their social network page. Other things, people should know better to take precaution. These sites are almost like a bragging page of sorts...*face palms*
I've written about a bit more sophisticated attack:
http://blog.mostof.it/how-to-steal-a-facebook-identity/
Got something to say?
Examiner.com is looking for writers, photographers, and videographers to join the fastest growing group of local insiders. If you are interested in growing your online rep apply to be an Examiner today!