Apple AppStore and "Security Questions"



  • I just tried to download an app from iOS 6's updated AppStore. As usual it asks me to log in with my password to proceed and off we go.
    But wait what's that? A message pops up saying (translated):

    Increase security of your Apple-ID
    To guarantuee the security of your Apple-ID, please choose 3 security questions and answers.
    [Not Now]       [Next]

    As security questions are crap, obviously I click "not now". But it stops downloading the app. I'm confused and try again. Same thing. It doesn't let me download the app without clicking "Next".

    WHY THE FUCK do you do that???
    - Security questions add no security at all. I have a password to secure the account and you have my email address if I lose the password. The "security" questions don't buy me anything and can be easily guessed by pretty much everybody. Service Announcement: My first pet is NOT A SECRET. So shove them.
    - Even if it did increase the security later on, it doesn't do so for the current transaction, i.e. downloading that app. If I am in anyway compromised already, the attacker can just fill in these questions for me right now. So why is this crap coupled with what I am doing RIGHT NOW when it has a "Not Now" button in the first place. Seriously??



  • I used 1Password to generate 50-character-long speakable passwords for the three questions. so yeah, I have three questions and three answers, but they're not guessable "in a million years". :)



  • @topspin said:

    - The "security" questions don't buy me anything and can be easily guessed by pretty much everybody. Service Announcement: My first pet is NOT A SECRET. So shove them.
     

    That's why you don't put in the name of your first pet.  Use your father's middle name instead of your mother's maiden name.  Or the name of your pet cat that got tragically hit by a car and killed when you were twelve instead of the name of your first pet.  Answer something that you can easily remember, but that would be significantly difficult for a person attempting to hack you to guess.

     



  • No, you put the results of a random text generator into all three, and forget about it. Yes, my mothers maiden name is <font color="black" face="courier new,courier" size="2">{J}sj}reFm)iq6Rcb}ehIs!`=@S!q7uba[lZ72kB6o0$R20mb\nmRUJXoT8oO+7</font>



  • @robbak said:

    No, you put the results of a random text generator into all three, and forget about it. Yes, my mothers maiden name is <font color="black" face="courier new,courier" size="2">{J}sj}reFm)iq6Rcb}ehIs!`=@S!q7uba[lZ72kB6o0$R20mb\nmRUJXoT8oO+7</font>
    Is that the French or the British pronunciation?



  • @Mason Wheeler said:

    That's why you don't put in the name of your first pet.  Use your father's middle name instead of your mother's maiden name.  Or the name of your pet cat that got tragically hit by a car and killed when you were twelve instead of the name of your first pet.  Answer something that you can easily remember, but that would be significantly difficult for a person attempting to hack you to guess.
    This adds no security at all if you give the same answers to the same questions on every site that asks them. It needs only one of those site's databases to be compromised for your 'answers' to become public.



  • Yes, I've taken to treating these as separate password fields and putting randomly generated passwords in there. Of course, you have to store them in your password DB.



  • Mr. Boomzilla Johnson, son of Peter Johnson and Marianne RTkl3758CM$ Johnson, born in kgorpl68DSL, and owning a dog called 68378CLTOPX.



  •  TRTWF is that your choices are:

    [next]
    [not now][next]
    [not now][not now][next]
    :
    :



  • @robbak said:

    No, you put the results of a random text generator into all three, and forget about it. Yes, my mothers maiden name is <font color="black" face="courier new,courier" size="2">{J}sj}reFm)iq6Rcb}ehIs!`=@S!q7uba[lZ72kB6o0$R20mb\nmRUJXoT8oO+7</font>

    I used to do that, until I discovered a government site that I'd registered for demands you answer two (randomly-chosen) of your five security questions [i]every time you log in[/i]. (In their defence: at least it let you pick your own security questions, not just choose from the sort of questions that can be answered by looking at someone's Facebook profile).

    I personally still try to avoid using secret questions if I can. But if faced with a situation where they can't be avoided, an article I read once suggested using an algorithm along the lines of picking two words you can remember, and combining them with a keyword from the question. So if your magic words are, say, "cumquat" and "jihad", then your answer for the secret question "What is your mother's maiden name?" is "cumquat mother jihad", "What city were you born in?" is "cumquat city jihad", and so on.

    While this isn't ideal - if one site is compromised then others can be too - it's a bit better than picking questions where the answer can be worked out by a random stranger. Somehow salting this method with the name/provider of the site might help - because as we all know, banks/utility companies/government departments never change their name! Storing random secret answers in your password management tool of choice would get around this - but if everyone used password management tools then most of the problems "solved" by secret questions would no longer be problems anyway. Sigh.

     



  • @robbak said:

    No, you put the results of a random text generator into all three, and forget about it. Yes, my mothers maiden name is <font color="black" face="courier new,courier" size="2">{J}sj}reFm)iq6Rcb}ehIs!`=@S!q7uba[lZ72kB6o0$R20mb\nmRUJXoT8oO+7</font>

    This sort of thing works if only a machine is going to be verifying the answer. If it's a person (over the phone or something) and that's the answer they have on file, it's very likely that you can just say the words "a bunch of random characters" and be accepted.

    I did this with some ISP years ago. I had a security answer like that, and when I was asked for it over the phone I said "Oh, I don't remember — it was something stupid I just typed in there". The person responded by reading my answer out to me and asking me if it was correct.



  • What really bugs me is when the security questions are case sensitive.  Even though my personal favorite security question was not one that required me to provide an answer at all.  It was one of the credit score companies.  They asked what company I have my home loan with.  I freaked out when I saw it, since I was living in an apartment and had no home loan, and was immediately thinking someone had taken a loan out in my name.  It was multiple choice with 5 options with the fifth being none of the above.  I choose that and it passed.  I then spent a good 5 minutes looking at the report to find nothing about any loans on it.  Apparently it was a trick question in my case.



  • @Anketam said:

    What really bugs me is when the security questions are case sensitive.  Even though my personal favorite security question was not one that required me to provide an answer at all.  It was one of the credit score companies.  They asked what company I have my home loan with.  I freaked out when I saw it, since I was living in an apartment and had no home loan, and was immediately thinking someone had taken a loan out in my name.  It was multiple choice with 5 options with the fifth being none of the above.  I choose that and it passed.  I then spent a good 5 minutes looking at the report to find nothing about any loans on it.  Apparently it was a trick question in my case.

    I think they do that to try to trip up identity thieves or something. I got a similar question once: What is the monthly payment on your [car make and model]? I owned such a car at the time, but I'd bought it with cash; there was not and had never been a loan involved. One of the choices was $0.00, which was accepted as correct.



  • @Someone You Know said:

    I think they do that to try to trip up identity thieves or something. I got a similar question once: What is the monthly payment on your [car make and model]? I owned such a car at the time, but I'd bought it with cash; there was not and had never been a loan involved. One of the choices was $0.00, which was accepted as correct.

    Yes, this makes sense. Recently I was making a legitimate purchase on my debit card, but it was much larger than normal, and from a foreign company I'd never dealt with at all, and I also accidentally typoed when entering the codes on the back the first time. My bank got suspicious (and I'd have been upset if they didn't), so I phoned them to explain the situation. They asked a lot of questions to establish I was who I said I was, and I was impressed when they asked the "trick question". (Confused for a bit first, but I figured it out when they accepted my answer.) Also, I was impressed when I was transferred to someone else, who asked more questions, got halfway through asking a question, and realised that their colleague had asked it a litle earlier.

     



  • I had forgotten my password to a suppliers (of a software system) support site.

    So i used the "forgot password" and had to type in my email address, a pincode and answer to a security question.

    Shortly after I recieve a e-mail with my login and a one time use password..... and then in case i forgot they also added my pincode and answer to the security question, that i just typed to get the e-mail... in plain text, so now its defínently not a secret.....



  • @ais523 said:

    Yes, this makes sense. Recently I was making a legitimate purchase on my debit card, but it was much larger than normal, and from a foreign company I'd never dealt with at all, and I also accidentally typoed when entering the codes on the back the first time. My bank got suspicious (and I'd have been upset if they didn't), so I phoned them to explain the situation. They asked a lot of questions to establish I was who I said I was, and I was impressed when they asked the "trick question". (Confused for a bit first, but I figured it out when they accepted my answer.) Also, I was impressed when I was transferred to someone else, who asked more questions, got halfway through asking a question, and realised that their colleague had asked it a litle earlier.

     

    I've had this happen, too. But the problem I have is, they'll sometimes ask things like, "Which of these addresses have you lived at in the last 10 years?" and then they proceed to read off a bunch of addresses I didn't recognize. And it turns out that one of them was somewhere I lived for a few months and quickly moved out of because it was horrid, and I had completely forgotten about it. Luckily I remembered after a few moments of looking at the addresses, but it's really unhelpful that they have these questions that I legitimately might not know the answer to.



  • Multiple choice security questions? Yay!

    Come to think of it, how did UPS know my mother's first and last name already so it could ask for her maiden name? Instead of "What is your mother's maiden name?" it asked "What is Mrs. N. Ekolis's Mom's maiden name?" o.O

    Answering "kumquat jihad" is probably not a very good idea for a government website. Unless you live in Afghanistan, in which case ALLAHU AKBAR! Death to the infidels! Kumquat Jihad! :P



  • @ais523 said:

    (...) I was transferred to someone else, who asked more questions, got halfway through asking a question, and realised that their colleague had asked it a litle earlier.

     

    Bullshit. That would turn phone support into something useful, and that is as likely as santa claus being real.



  • @Paddles said:

    I used to do that, until I discovered a government site that I'd registered for demands you answer two (randomly-chosen) of your five security questions every time you log in. (In their defence: at least it let you pick your own security questions, not just choose from the sort of questions that can be answered by looking at someone's Facebook profile)

    Australia.gov.au does this. It's infuriating.

    My workaround was to set my five "security questions" to these:

    1. Enter your secondary password with 1 appended.
    2. Enter your secondary password with 2 appended.
    3. Enter your secondary password with 3 appended.
    4. Enter your secondary password with 4 appended.
    5. Enter your secondary password with 5 appended.

    and create the usual kind of long random password with KeePass. So answering the secret questions needs only Ctrl-V, one digit, tab, Ctrl-V, one digit, tab.



  • @atipico said:

    @ais523 said:
    (...) I was transferred to someone else, who asked more questions, got halfway through asking a question, and realised that their colleague had asked it a litle earlier.

     

    Bullshit. That would turn phone support into something useful, and that is as likely as santa claus being real.

    I remember seeing this exact post, like, two months ago. I'm all confusededed now.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.