Dumb Sprint 'Security' Questions Make It Easier To Hijack Accounts
from the with-security-like-that... dept
In the last year or so, there’s been a disturbing trend of companies to start adding absolutely ridiculous and counterproductive “security” questions on various sites. Most of these do absolutely nothing good in terms of security. In fact, it seems the more ridiculous these features are, the less secure a site actually is. I’ve been collecting some examples of the more bizarre “security” features I’ve been seeing lately, with the really ridiculous “security questions” being quite popular. This is when the site gives you a bunch of questions to choose from — but often those questions are not the sort that have a single answer, or an answer that’s easily memorable. For example, I just saw one that asked “What’s a place you’d like to visit someday?” Well, there are a few, but I doubt I could remember the one I picked. And what happens if I do visit that place before the next time I need to answer that question?
I was recently discussing this with a colleague who told me that if I wanted to see the most ridiculous example, I should look at Sprint’s system, as it had a bunch of security questions where it tried to pull information on you. Before I had a chance to check it out, it looks like the folks over at Consumerist decided to take on Sprint, and discovered not just how ridiculous the questions are but noticed some patterns that make it quite easy to get control of any Sprint user’s account.
The way it works is Sprint asks you a series of “security” questions that it thinks only you would know the answer to. Things like “what type of car has been registered at your address?” and “which of the following people has lived at your address?” It sounds like some data collection company probably convinced Sprint to purchase access to their data to set up these questions in the name of “security.” The problem is that if you know just a little about certain people, you can easily guess the answers. Even worse, a former Sprint employee notes that, mostly to avoid “accidentally” having two right answers, it’s usually quite easy to figure out the actual answers. For example, on the automobile question, the incorrect answers are usually expensive luxury vehicles.
This isn’t “security.” It’s barely security theater. It’s a huge security hole. Hopefully with a little attention Sprint gets rid of it and puts something more reasonable in place. I just hope it doesn’t involve asking me where I hope to travel some day.