Porn names and other fun games - Blogs

What's your porn name? I have been asked this question since I was at school. It's just a bit of fun after all. Isn't it? Well considering that the two components that form your porn name are also the answers to two very common security questions:

1. What is your mother's maiden name?
2. What is the name of your first pet? 

 

Ever since I opened my first bank account that had telephone banking an alarm bell has been ringing about this innocent childish bit of fun.

Yesterday I met someone for a coffee and a chat. The conversation moved from technology advancements to data mining and targeted advertising. "Isn't it amazing how they know what we want to buy" was the general gist of the conversation, but it's not really that magical when we consider how much information we give away, and especially the amount we give away openly. I smiled and asked him to humour me and tell me what his porn name was. He willingly told me me with a chuckle. I smiled and then asked him what security questions he used for his banking. He got half way through the first question before the penny dropped and his face paled as he realised how such an innocent game could reveal far too much. I've been using this example for far too many years and the response if always the same.

But surely this sort of thing is just a bit of fun amongst friends? Really? When was the last one of these that you completed on Facebook? You've just openly informed not only the friend that tagged/shared it, but the original creator and every other person that comments and in-fact anyone that has access to read that post. Back in 2010 SANS released a paper called What Disney Princess are YOU? which highlights the dangers of "just for fun" quizzes. I urge you to read it.

 

Common Security Questions

The following is a list of really common questions. I searched the web and the following list, in some shape or form, the following is all that came back. It's not a big list and it's not an imaginative list either.

• What is the first and last name of your first boyfriend or girlfriend?
• Which phone number do you remember most from your childhood?
• What was your favourite place to visit as a child?
• Who is your favourite actor, musician, or artist?
• What is the name of your favourite pet?
• In what city were you born?
• What high school did you attend?
• What is the name of your first school?
• What is your favourite movie?
• What is your mother's maiden name?
• What street did you grow up on?
• What was the make of your first car?
• When is your anniversary?
• What is your favourite colour?
• What is your father's middle name?
• What is the name of your first grade teacher?
• What was your high school mascot?
• Which is your favourite web browser?
• What was your childhood nickname?
• What is the name of your favourite childhood friend?
• Where did your parents meet?

Look at this list and think about how many of the above questions are either there in black and white or could be deduced from your public profile on Facebook? I look at most people and do some basic digging (not even data mining) and answer a lot of those questions and those I'd struggle with, well, one simple phone call from market research or a competition for free movies for a year would solve the rest.

 

Social Engineering

Social engineering used to be a (h/cr)ackers best friend. It's all about getting someone to willingly give you information that they feel is innocent, but is very valuable in other contexts. Cyber Army used to have a social engineering challenge via ELIZA the computer therapist. The trick was to get her to reveal her password. Simply by following a route of questions you would be allowed to eventually ask out her pet and she'd respond with it's name. Bingo! Password security relies on complexity and making it unmemorable. Security questions are used in 2 common ways:

1. Verification as to who you are
2. Password/Account recovery

It's not hard to con people into telling you their darkest secrets, and it's not hard to get them to give you pin numbers and passwords alike. Barclays are doing a fantastic job at trying to highlight the perils of social engineering. Adverts such as:

 

 

Be obscure and Lie

It's not as simple as not entering that data into your online profiles, a lot of the answers to these questions have been achievable long before the likes of Facebook etc. The simplest way to prevent against this sort of thing is to simply lie and mix things up a bit. Use a bit of obscurification in the same why you would your password. I'm not suggesting character replacement and numbers, this would hardly help you on the phone to your bank. Just simply lie, they don't have a truth detector on the other end of the phone! So you were born in "London"? Tell them you were born in "Southend-on-sea" or even "In a hospital". I have made a few telephone operators laugh with some of my correct responses. 

 

Why would someone want to target me?

The biggest mistake we make is to have the mind set of "Why would someone want to target me?". In most cases you are not being targeted specifically, you just one of thousands of people that are being caught up in a net. However, you may have a target on your head also for many different reasons. Can you provide information about others you know who would be considered bigger fish for example? Do you work for a company that could provide access to bigger companies? Remember "Why" is not actually important.

At the end of the day, accept that no matter what you do, the likelihood these days is that if it's online, then they know it. There is no stopping them from data mining information about you. Are you really going to quit your job and unplug from the Matrix? Probably not, so simply accept that people will try and do these things, and understand their techniques. Once you understand how, the the prevention is easier.