Current Insight Community Cases

Essential Datacenter Tips On Application Performance Monitoring

The Importance Of Skilled Immigrants To The American Economy

Help A New Kind of Music Label Revolutionize The Industry

Mandates To Buy American Should Be More Carefully Considered

Navigating The New Business World After This Recession

Check out our CwF + RtB experiment.
Brought to you by Floor64 and the Techdirt crew.

stories filed under: "bad security"
(Mis)Uses of Technology

(Mis)Uses of Technology

by Mike Masnick

Thu, Apr 10th 2008 2:18am


Filed Under:
bad security, questions, security

Companies:
sprint



Dumb Sprint 'Security' Questions Make It Easier To Hijack Accounts

from the with-security-like-that... dept

In the last year or so, there's been a disturbing trend of companies to start adding absolutely ridiculous and counterproductive "security" questions on various sites. Most of these do absolutely nothing good in terms of security. In fact, it seems the more ridiculous these features are, the less secure a site actually is. I've been collecting some examples of the more bizarre "security" features I've been seeing lately, with the really ridiculous "security questions" being quite popular. This is when the site gives you a bunch of questions to choose from -- but often those questions are not the sort that have a single answer, or an answer that's easily memorable. For example, I just saw one that asked "What's a place you'd like to visit someday?" Well, there are a few, but I doubt I could remember the one I picked. And what happens if I do visit that place before the next time I need to answer that question?

I was recently discussing this with a colleague who told me that if I wanted to see the most ridiculous example, I should look at Sprint's system, as it had a bunch of security questions where it tried to pull information on you. Before I had a chance to check it out, it looks like the folks over at Consumerist decided to take on Sprint, and discovered not just how ridiculous the questions are but noticed some patterns that make it quite easy to get control of any Sprint user's account.

The way it works is Sprint asks you a series of "security" questions that it thinks only you would know the answer to. Things like "what type of car has been registered at your address?" and "which of the following people has lived at your address?" It sounds like some data collection company probably convinced Sprint to purchase access to their data to set up these questions in the name of "security." The problem is that if you know just a little about certain people, you can easily guess the answers. Even worse, a former Sprint employee notes that, mostly to avoid "accidentally" having two right answers, it's usually quite easy to figure out the actual answers. For example, on the automobile question, the incorrect answers are usually expensive luxury vehicles.

This isn't "security." It's barely security theater. It's a huge security hole. Hopefully with a little attention Sprint gets rid of it and puts something more reasonable in place. I just hope it doesn't involve asking me where I hope to travel some day.

44 Comments | Leave a Comment..

 
Search Techdirt
And now, a word from our Sponsors..
San Francisco Music Tech 2009
15% off discount for Techdirt Readers



Popular Posts
Poll

Which Internet Concern Worries You The Most?

 

 

 

 

 

 


Add Techdirt RSS To Your Reader
rss Add Techdirt to your Bloglines
Add Techdirt to your Google Add Techdirt to your My Yahoo
Add Techdirt to your Netvibes Add Techdirt to your Newsgator
Subscribe to Techdirt's Daily Email Newsletter

Techdirt's Daily Email Newsletter

Older Stuff

Tuesday

1:56pm: Jury Says Fictional Character Can Be Libelous (28)
12:44pm: Spam King Alan Ralsky Gets Four Years In Jail (27)
11:39am: Publishers Getting The Wrong Message Over eBook Piracy (39)
10:28am: Calling For An Independent Invention Defense In Patents (26)
9:12am: Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems (41)
8:03am: Don't Blame Facebook For Some Kids Beating Up Another Student (61)
6:46am: Hulu Telling Sites To Stop Embedding So Much (44)
5:00am: Once Again, If The Gov't Has Data, It Will Be Abused (42)
2:53am: As Expected, Social Networking Generation Running For Office Face Their Permanent Record Online (31)
12:55am: IMAX Sues Cinemark For Building Competing System... While Being An IMAX Customer (14)

Monday

10:26pm: Filmmaker Allowed To Use The Name Rin Tin Tin To Describe Rin Tin Tin (6)
8:25pm: Senators Begin Questioning ACTA Secrecy (32)
6:34pm: Brazil E-Voting Machines Not Hacked... But Van Eck Phreaking Allowed Hacker To Record Votes (15)
5:08pm: FCC Doesn't Think The Lack Of Competition Is A Major Barrier To Broadband? (36)
3:49pm: Heads Of Major Movies Studios Claiming They Just Want To Help Poor Indie Films Harmed By Piracy (47)
2:38pm: USPTO Convinced By Amazon That Online Gift Giving Patent Is Legit (19)
1:31pm: Tiburon Approves Recording Every Car That Enters/Leaves... Despite More Evidence Of Traffic Camera Abuse In UK (90)
12:18pm: Label Exec Arrested For Not Using Twitter To Disperse Crowd At Mall To See Singer (53)
11:01am: Spanish Court Dismisses Complaint From Nintendo Against Counterfiet DS Cartridges, Since They Add Functionality (12)
9:55am: Dear PR People: If Your Exec Has A Comment, Our Comments Are Open (25)
8:44am: What Kind Of Mickey Mouse (And Donald Duck) Lawsuits Are These? (23)
7:30am: Prosecutors Ending Lawsuit Against Lori Drew (13)
6:06am: Dear Rupert: You Don't Succeed By Making Life More Difficult For Users (70)
4:20am: ESPN Writer Suspended From Twitter (59)
2:10am: School Can't Handle Critical Community Message Board; Sends Legal Nastygram (21)

Friday

7:39pm: Liberian Laws Are A Secret Due To Copyright; Even The Gov't Doesn't Have Them (43)
6:56pm: Lily Allen: It's Ok To Sell My Counterfeit CDs, Just Don't Give My Music For Free (97)
6:10pm: EFF Looks To Bust Bogus Podcasting Patent; Needs Prior Art (34)
5:28pm: Google Blocking Set Top Boxes From Showing YouTube Unless They Pay Up? (65)
4:44pm: Entertainment Industry: Yes, Please Keep Negotiating Secret Copyright Treaty To Save Our Asses (43)
More arrow
Quick Links
Close
E-mail It