Republican Vice Presidential candidate Sarah Palin’s Yahoo! account was recently hacked. The hacker reportedly reset Palin’s password, answering all of her security questions with information easily found through a Google search.
Tuesday’s Talk of the Nation examined the issue. It’s easy to say Palin’s information was accessible because she’s a public figure, but as TOTN’s guests explained, many private citizens readily put biographical information online. Birthdays, family members’ names and friends’ bios are all available on social networking sites.
Over the weekend, I checked the security questions on my e-mail and bank accounts.
What is your mother’s maiden name?
What is your maternal grandmother’s first name?
What color was your first car?
Where did you finish 6th grade?
What is your pet’s name?
Certainly, if these are your security questions it wouldn’t be wise to mention many of the topics on your blog or Facebook page, but I’m surprised at how simple those questions are. None of the information about me needed to answer those questions is online, but most of my close friends could probably guess all of it.
So if someone’s password is reset, is it their fault for blogging about their car, grandmother and pet or is it the bank’s fault for choosing such basic security questions?
It reminds me of the Richard Feynman essay ‘Safecracker Meets Safecracker.’
Mr. Feynman was a scientist at Los Alamos. He was worried about the security of documents and once new safes were installed in everyone’s office, he went about figuring out how to crack them. While he found flaws in the each safe’s design, some of the most crucial information was accessed by guessing things about other scientists. For example, Feynman opened all of one researcher’s safes by using the same mathematical constant for each combination.
The story has an interesting relevance in this case. While banks and social networks may have flaws in their security questions, it’s ultimately on the user to keep certain information private and passwords obscure. No need to be paranoid, just be careful.