Back to all blog posts

Social Engineering and Challenge Questions

A recent security breach of Apple’s iCloud security resulted in a journalist’s data being wiped out on his MacBook, iPad, and iPhone. The breach was accomplished through some cleaver social engineering. For those unfamiliar with the term, social engineering is the practice of manipulating people to do something that would cause them to share confidential information. This information is then used to allow someone to impersonate someone else, gaining access to financial or other accounts. Phishing would be a common form of social engineering.

The Apple situation got me to thinking about how help desks verify the identity of who they are talking to. Many company’s take the approach of asking challenge questions based on information you have provided to them or questions you have pre-answered. When creating these questions there is always a balance between selecting information that will keep the site secure versus making it easy for the customer to remember how they answered. You don’t want the answers so easy that the answers may be guessed (or found in a social networking site) and you don’t want them too difficult so that your customer cannot remember the answer themselves. I provided a list of some typical challenge questions at the end of this post.

One alternative to this is for a company to do some social engineering of their own by collecting information from various public sources and asking some questions based on that collection. I was once surprised when working with a brokerage company that asked me for my maternal grandmother’s birth date, the make and model of car I drove in 1995, and my sister’s husband’s mother’s first name. I had not provided that  information to the brokerage when I set up the account (nor did I remember some of it) but it is all public record.

Another alternative is for a company to use a second factor of authentication such as a secret code, a password, or some recent information that the company and customer share. A trend in this from banks has been to be to ask for  the current balance in an account or the size of a recent deposit.

Google’s has the ability is to send a passcode to your mobile phone each time your account is accessed through a new computer. Users need to sign up for this service…I wonder how many do.

Whatever identification mechanism you use it should be applied not only to customer help desks, but to internal help desks as well. If you have a human resources help desk, for example, you may give callers access to personal information such as salary, benefits, health status, and dependents.  Selecting challenge questions for this community becomes more difficult since the population is so small and “secrets” are harder to keep. Most employees know something about their colleague’s home towns,schools, team affiliations, hobbies, families, and vacations  or can easily find these things out just by asking around or visiting a person’s office.

As an aside, take a look at your policies on the number of retries to answer a question. Just think of a company in the Boston area asking their employees for a favorite sports team as a challenge question and then allowing three tries. Let’s see…Red Sox? Celtics? Bruins?

Many challenge questions ask things that are readily accessible through social networking, genealogy, or other public information web sites. Here are some typical challenge questions gathered from some banks and social networking sites.  How many of these might you be able answer for someone else with a little on-line searching?

  • In what city were you living at age 16?
  • What is your favorite movie?
  • What is the name of your first niece/nephew?
  • What is your maternal grandmother’s first name?
  • What is your maternal grandfather’s first name?
  • In what city were you born? (Enter full name of city only)
  • What was the name of your first pet?
  • What was your high school mascot?
  • How old were you at your wedding? (Enter age as digits.)
  • In what year (YYYY) did you graduate from high school?
  • What is the name of the first company you worked for?
  • What is the first name of your oldest niece/nephew?
  • What was the name of the first school you attended?
  • What was the first live concert you attended?
  • On what street did you grow up?
  • What is your mother’s/father’s middle name?
  • In what city were you married?
  • What is the first name of your first child?
  • What is the name of your first employer?
  • What is the first name of the best man/maid of honor at your wedding?
  • What was the first name of your first manager?
  • With what company did you hold your first job?
  • What is your oldest sibling’s middle name?
  • In what city was your mother/father born? (Enter full name of city only)
  • What was the name of your first boyfriend or girlfriend?
  • In what city did you honeymoon? (Enter full name of city only)
  • What is your maternal/paternal grandmother’s/grandfather’s first name?
  • In which city did you meet your spouse for the first time?
  • Who is your favorite childhood superhero?
  • What is your best friend’s first name?
  • What was the last name of your first grade teacher?
  • In what city or town was your mother/father born?
  • What street did you live on when you were 8 years old?
  • What was the last name of your third grade teacher?
  • What was your grandmother’s/grandfather’s occupation?
  • In what city is your vacation home? (Enter full name of city only)
  • What was the name of your junior high school? (Enter only “Riverdale” for Riverdale Junior High School)
  • What street did your best friend in high school live on? (Enter full name of street only)
  • What was the last name of your favorite teacher in your final year of high school?
  • Where did you meet your spouse for the first time? (Enter full name of city only)
  • What was your favorite restaurant in college?