Don’t Give Away the Keys to Your (Online) Castle

Here’s a question for you. How many of your immediate family members know what make and model your first car was? Probably most of them, right? Now, how about your friends? It’s likely a few of your oldest friends remember getting rides around town in your clunker of a Volkswagon that belched black smoke out the back as though it ran on coal. Now, what about your extended circle of friends, or ‘Acquaintances,’ as Facebook would categorize them? Not many, right? Not unless you ever posted a picture of your first car and tagged it ‘#ThrowbackThursday’, I’d guess.

For years now, social media has been seen as something fun and harmless, a way to stay in touch with friends and family and to show off pictures of your latest haircut or culinary creation. Now, following the new revelations about third party companies collecting information from millions of people via seemingly innocuous social media quizzes and leveraging it for political and financial gains, the friendly, fuzzy face of social media has (in the immortal words of Monty Python) been revealed to have nasty big pointy teeth.

When Personal Information Becomes Public

The age of the online innocence of these platforms, it seems, is long over. Users have been told time and again, “if you don’t pay for a product, the product being sold is you.” And yet we choose to ignore warnings like these, signing away our digital soul for the chance to look at cat videos… and more cat videos.

According to a new 2018 Pew Research Center survey, “Roughly two-thirds of U.S. adults (68%) now report that they are Facebook users… Fully 74% of Facebook users say they visit the site daily, with around half (51%) saying they do several times a day.” We collectively spend millions of hours using online platforms, posting pictures of our daily lives, filling out nonsensical surveys to discover what kind of fruit (?) we are or what color our aura (??) is, chatting publicly to friends on news sites that quietly index our conversations and make them available on Google, often with our real name attached.

But are we using the Internet, or is the Internet using us? Over the last decade or so that social media sites have been in existence, each and every one of us has generated a vast and sprawling digital paper trail containing a rich treasure trove of information about us and the daily miniature of our lives that advertisers and other with more nefarious motives (identity theft, anyone?) have been quietly siphoning off for later self-serving use. This may include:

  • Pictures of our children and pets uploaded to Instagram, with their names and ages helpfully added in the caption box.
  • Discussions and photos of the various automobiles we’ve owned posted on car forums and auto sites.
  • #ThrowbackThursday” posts of our grandparents and families on Facebook, with their full names given.
  • Publicly joining groups that serve as meetups or online photo records of your high school.
  • Publicly posting our full resumes on LinkedIn, complete with dates and cities where you lived/worked.
  • Writing reviews on Yelp of our favorite restaurants and stores.
  • Uploading old school photos and tagging friends and locations.

Why What You Let the Internet Know Can Hurt You

Now, think of the most common password reset questions. These questions are commonly used by almost every online service you can think of, from your store cards, to your bank, to your 401k provider. Some of the most common questions include:

  • What is your mother's maiden name?
  • What was the name of your first pet?
  • What was your first car?
  • What was your first job?
  • What elementary school did you attend?
  • Who was your best friend in high school?
  • Where did you meet your husband/wife?
  • What is the name of the town where you were born?

Back when this practice was first adopted, the Internet was in its infancy and these questions would have been hard for anyone but your immediate family to guess. Now, with the vast urban sprawl of social media sweeping our life history into one convenient and publicly accessible place, finding out the answers to most of these questions is within the easy reach of anyone who knows how to use Google.

Put simply, cybercriminals love online password reset questions because the answers are so ridiculously easy to find out online. Who remembers the Sarah Palin email hack? A 20-year-old college student obtained access to Palin's Yahoo email account by researching her life online using everyday websites like Wikipedia to find out details such as her high school and birthdate, then using that information to recover the password to her account and gain access. Mitt Romney’s Hotmail account was hacked when the attacker found out what his favorite animal was.

Security guru Brain Krebs has advised his followers this week to be extra cautious what you reveal about your past when posting online; you can read his eye-opening article about why you shouldn’t respond honestly to online surveys here.

Adopting Social Media Best Practices

Now, I’ll be the first to admit that unless you suddenly find yourself with several free months on your hands to go through the entire Internet and delete everything you’ve ever posted and had posted about you, you’re stuck. We all are. Particularly hard-hit are famous people such as musicians or actors, as every detail of their lives are posted about continuously online, on top of them already being high-profile targets to hackers.

Social Media platforms in many cases share this blame, because they make it extremely difficult to quickly and easily erase your past posts. Even if you wipe your whole account, it’s likely they will hang onto your information for a while; they may even have already sold it to third parties (and informed you they will do so on page 74 of 191 of the Fine Print you blindly clicked “Yes!” on when signing up). 

So how do you clean up your past online cyber-hygiene fails? There have been many fine articles written about how to give the Internet a good ol’ deep cleanse and blitz the worst of your online gaffes. An entire cottage industry has even sprung up offering paid services that promise to wipe every trace of your existence from the net (most state that “results may vary” so buyer beware).

For most of us, though, it’s actually quicker and easier to go into each of our online accounts and change the answers to our secret questions, rather than trying to erase our full online existence.

Here’s the trick: Remember, there’s no requirement to be truthful when answering your secret password reset questions online, so set fake answers to your ‘password reset’ questions and do whatever you need to do to ensure you remember them. Here are some tips:

  • Don’t use any word as a secret password reset answer that someone could guess as being associated with your name – so pets/children’s names are out, as are birthdays, phone numbers, and the names of your spouse, favorite baseball team or TV show.
  • Don’t use the same fake answer for more than one site (which is how we all got into this mess to begin with).
  • Make sure too that your answers are longer than one word, and make them complex, using a mix of letters, numbers and special characters, the same way as you’d set a password.
  • Better still, use a password manager and have the manager generate randomized strings of letters and numbers for each ‘secret question.’

Or, just do what Stuart Schechter, a researcher with software giant Microsoft, does: he simply types in a random answer to each question or mashes the computer keys, and then calls the company directly if he needs to reset his password.

These steps may be a little time consuming, but until the entire Internet comes together as one and decides to kill outdated password reset questions, following these best practices will ensures your account security is better than most.


NOTE: The opinions expressed here are solely those of the author, and do not necessarily reflect those of Cylance. Information given is intended for educational purposes only, and is not intended as full technical instruction. Cylance is not responsible for any type of damages or losses resulting from following advice contained herein.