Wednesday, May 31, 2023

Memorial Day Opsec

I visited my grandparents' grave on Memorial Day. My grandfather served in the US Army in WW II, and my grandmother is buried beside him. I shared an uncaptioned picture on Facebook of their headstones with flags in the background.

It was a huge opsec failure.

My grandparents' last name is my mother's maiden name, the most common "security question" on the planet. Though I didn't identify them as my maternal grandparents, it's fairly obvious they don't share my last name, and their birth/death dates all but confirm that they're the right age to be my mother's parents.

Everything you share--no matter how small, innocuous, or minimally identifiable--helps create a more complete and exploitable digital footprint. I weaponized data against myself simply by sharing uncaptioned content.

Security questions are almost as dangerous as bad password policies. The ones that are easy to remember are also easy to guess or prize from social media.

Mother’s maiden name: launch this one into the sun. Maybe this was ok in the days before social media, but now it’s way too easy to connect dots through online friendships.
Birth city: over 50% of Americans live in the state where they were born. Some surveys put the number over 50% for still living in the same city. Nuke this question. A guess shouldn’t yield a >50% success rate.
Elementary / High school: Kind of a combo play on the questions above: if you can suss out a person’s city or state and see their friends list on any social media platform, you’ve probably already gotten their entire educational history. I think the only one that might be tough from my past is middle school, maybe. Maybe.
First pet: People generally love to gush over early pet experiences.

The harder ones force me to remember how I answered them originally:

First car: did I list the brand? The model? The year? The sub-model? I might have listed the color on one security question, and not on another.
Favorite color: My children have favorite colors.
Best friend: Uh....when? I only met my current best friend a little over a decade ago, and I’ve been filling out these questions for over 20 years.
Favorite teacher: Bro I trudged through over 16 years of education, and that was over 25 years ago--is that a thing people actually remember?
Favorite food: Again, when? I'm lucky if I can remember what I just had for breakfast.

And don’t go tacking on ‘as a child’ as a qualifier to any of these, because as I bear down on AARP eligibility, everybody under 25 looks like children, and there were times when my budget dictated that ramen was my favorite food.

Until all apps and all platforms accept passkeys, decentralized identity, or other hardware backed authentication (and users learn the vital importance of backing up their app-based authentication configurations), I see no functional way to avoid security questions. Just be careful that the answers to those sacred questions are protected with the same gusto as a bad password.