Avoiding the use of accurate responses to verification questions may actually make them easier to guess.
A recent research examination conducted by Google has revealed that a common tactic used for mobile security by individuals who don’t want to provide real answers to verification questions could potentially be making it easier for cybercriminals to guess their way into accounts.
Some of the easiest fake answers that are out there include “I don’t know” and “I don’t have one”.
The research examined the difficulty level in guessing the mobile security answers to “personal knowledge” questions asked in case a password is forgotten. What they discovered was that the verification questions actually provide a much lower level of protection than the passwords that are chosen by the users. These results were published in a peer-reviewed paper that was presented in Florence at the International Conference on the World Wide Web, last week. The paper stated that “Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully.”
The issue that is decreasing the mobile security levels is that fake answers are easier to guess than real ones.
According to Joseph Bonneau, the study’s lead author, some of the more common fake answers to the security questions were notably easier to guess than they would have been if the mobile device user had entered the genuine response. Particularly ineffective are some of the most common of these responses, which are “I don’t know” or “I don’t have one”, but the study revealed that those were not alone in the guessable answers.
It showed that among English-speaking users, a clever cybercriminal would be able to guess the answers that were provided to the “Frequent flyer number?” security question with one try.
Bonneau, who is now a Stanford University post-doctoral researcher after having stepped down from his position at Google, explained that researchers have long believed that the additional security questions provided by companies such as Google were not all that effective in protecting them against cybercriminals. However, the study was conducted in order to be able to “put out in black and white exactly how insecure and unreliable” those verifications truly were.
The goal was to identify online and mobile security questions that would be the most secure but that would also be the easiest for an actual user to remember. Unfortunately, “Nothing we looked at was good on both counts,” he said.