Like any good Information Security professional, I enjoy scaring the daylights out of my friends and family about protecting their sensitive data. It’s kind of a hobby. The sheer panic I can incite with a “You know what a hacker would do with that information? That’s right – ruin your life.” is exhilarating to experience.
Today, though, I’ve had more opportunities in a single day to torture educate my friends and family on sensitive data protection. And all because Prince Harry intends to marry an American divorceé and actress named Meghan Markle.
Everyone, it seems, has Royal Wedding fever. They’re sharing their plans for waking up at the crack of dawn to watch people they will never meet join together in Holy Matrimony. They’re comparing what the royal brides of yesteryear wore. Even listening to Royal Wedding podcasts. Yes, people are making podcasts about the royal wedding. It’s the social event of the season, after all, and everyone wants a little piece of it.
But there is one nefarious Royal Wedding tidbit making the rounds, and it is the Social (Engineering) event of the season. Shocking! Someone is taking advantage of pop culture for criminal purposes!
Here is the simple little Facebook game that is opening people up to a very simple form of identity theft – account takeovers using security questions.
I’ve been warning every one of my friends who posts this on Facebook that answering these questions opens them up to identity theft. But I am not sure that they understand how, so I think it makes sense to provide some more detail.
Every time you set up a new account, you’re asked to provide some “security questions” to protect you from unauthorized access to your account. The security questions; however, are almost always limited to a fixed list of questions that the programmers implemented. Things like “What’s the name of your first pet?” “What street did you grow up on?” or “What was your grandfather’s first name?” If you take a look at the meme above… well, well, well – we’ve hit all three.
As a hacker, all it takes for me to access your account right now is your email address. And that’s easy to find. Just because you played a little game on Facebook, you could stand to lose your life savings, have someone submit a tax return in your name, or order a bunch of stuffed monkeys from your favorite eCommerce site.
Do I have your attention, yet? Social Engineering is real, and it’s so simple for you to fall prey to people who mean you harm. Protect your data. Protect your personal information. Protect your digital life.
And did I incite panic? Because that was, after all, my goal.