OK, I know students are usually exempt from WTFs, which is why I'm posting this one to the sidebar.
As a student at a major London university, I'm always getting emails asking me to take some survey concocted by a final year student for their dissertation. I usually do the ones which promise a free prize draw. I haven't won yet, but you never know. Anyway, I recently got this email:
Subject: *First Prize £100, Second Prize £50* - Challenge Question Study
From: [lets call him H]
Date: 09/07/2010 10:18
To: students@cs.myuniversity.ac.uk
Dear All,
I am currently conducting a study into the use of Challege Questions which have increasingly been used for password resetting. The survey only takes a few minutes and will be available online, it will be repeated once more after two weeks.
*Win £100 or £50* for taking part in the study
Please send me an email if you are interested stating whether you are an Undergraduate or Postgraduate on h@myuniversity.ac.uk . Your responses are greatly appreciated!
If you have any questions, feel free to contact me on.
Best wishes,
H
MSc Information Security
I responded and got a link to the survey. After a couple of demographic type questions we got to the meat of the study, and these questions:
1. Please select ONE question you would like to answer [dropdown containing list of security questions, what was your first pets name, mother maiden name etc]
2. Please enter your answer here
3. Please provide a Hint for your answer to aid you with recalling your answer.
I wrote something along the lines of "I'm certainly not going to tell you that!" in the answer box. The rest of the survey was more of the same, asking me three times to pick a security question and provide the answer. Each time I didn't provide the answer (I may have got a little snarky by question 3.) Then ensued the following email exchange:
Date: Tue, 13 Jul 2010 10:28:24 +0100
From: Misha
To: H
Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
H wrote:
> Hi Misha,
>
> Here's the link for the survey, If you have any undergrad friends that will be interested please pass it on to them. Thank you :)
>
> http://www.surveymonkey.com/s/REDACTED
>
>
>
I've taken your survey, but I suspect I'm not of use to you, since I
have refused to provide any secret answers on security grounds. If you
don't want to enter me into the prize draw, I understand.
Regards,
Misha
From: H
Date: 13/07/2010 10:29
Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
Oh ok, i totally understand
What most people are doing is that they give the uni emails ie (ucabham@live.myuniversity.ac.uk) so no personal email is known..if you do not want to take part that is fine...I cant really put you in the prize draw though cause i need both phases to be complete.sorry :( .
Date: Tue, 13 Jul 2010 10:45:48 +0100
From: Misha
To: H
Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
H wrote:
> Oh ok, i totally understand
>
> What most people are doing is that they give the uni emails ie (ucabham@live.ucl.ac.uk) so no personal email is known..if you do not want to take part that is fine...I cant really put you in the prize draw though cause i need both phases to be complete.sorry :( .
>
Well if other people want to give away private information it's no skin
off my nose, but I'd be interested to hear if I'm the only person that
this rang alarm bells for, especially since you are surveying people
from the CS department (and I wouldn't consider my ISD username to be
anonymous.)
I'm not sure how you could do this study in a secure or anonymous
manner, or more importantly how you could convince a paranoid user like
me that it was anonymous. But good luck with it.
Misha
From: H
Date: 13/07/2010 10:34
Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
lol I just looked at your answers, I have found it sooo difficult to make it anonymous as i need people to come back and answer the questions again in two weeks time..
The study is to find out what questions people pick and how they answer and how secure those answers really are..Im an information security masters student, if i wanted to hack into emails i dont think i would need secret answers lol! i just need to get this study done for my thesis :(
From: H
Date: 13/07/2010 10:47
Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
Thank you,
Ive just started it up today so hopefully not everyone is as paranoid :s ..to be honest if i had to fill it out i would think the same thing!
Bear in mind that this guy is doing a *masters* in Information Security. Anyway, I thought that was an end to it, until I got this last email today:
From: M R <m.r@myuniversity.ac.uk>
Date: Mon, 19 Jul 2010 11:38:03 +0100
To: all-postgraduates@myuniversity.ac.uk, all-undergraduates@myuniversity.ac.uk
To: All post-graduates and all under-graduates.
You would have received an email from Postmaster last Thursday about a survey being carried out by H into the use of Challenge Questions. We have received complaints about the nature of the questions asked and would like to warn you about giving out such information. Questions such as these are used for providing a second level of authentication to sensitive data/systems and as such should be guarded with the same level of care as your password. You are reminded of the Computing Regulations which state that you must not disclose passwords to others.
We will be discussing this matter with the parties concerned to try to come up with a solution that allows them to do the research without compromising security.
In the meantime, as a matter of best practice, we would recommend you change any challenge questions/answers you use if you have passed on the information as the information is currently on a 3rd party site over which we have no control. We understand about 200 people responded to the survey.
M
-- M.R. Head of Computer Security Team, Information Services Division