Most ethical folks would agree that lying is bad.
But when it comes to your security, and preventing identity theft, it might be advisable to spin a few yarns.
Everyone talks about how important it is to create super strong, unique passwords — we included — but it doesn’t matter how great your password is if someone could guess the answers to your security questions.
This 2016 WIRED.com story titled “Time to Kill Security Questions — or Answer Them With Lies” brings up a great point. Even if your password is super strong when a data breach happens that leaks security questions and answers, your identity is at risk.
“From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place — web and social media searches can often reveal where someone grew up or what the make of their first car was — the approach puts accounts at risk,” according to the Wired.com story.
Here are three reasons it’s time to start lying.
- The real answers to your security questions likely have already been breached at some point. Case in point Yahoo, who in September 2016 announced a data breach that affected 500 million accounts; three months later, they announced another separate breach that impacted a billion users. Along with passwords, thieves nabbed the answers to security questions in that second breach. If you don’t have a Yahoo account, there have been plenty of other data breaches where the answers to security questions were leaked — the Ashley Madison breach in July 2015, VTech in November 2015 and others. For a fairly comprehensive list of breaches and what information was compromised, check out this list, compiled by Troy Hunt of Have I been pwned?
- Strong passwords aren’t enough when someone could guess the answer to your security questions. You need to control the answer. Say you’re a person who always uses long, complex passwords that combine upper and lowercase letters, numbers, and characters and you wouldn’t think of reusing a password on more than one site. (That’s awesome, BTW — you’re definitely in the minority). Even so, a strong password might not be enough. “Even the most difficult-to-crack password is still vulnerable if your security questions are accessible,” according to this recent Forbes story, which explains why some security experts advise you to fib. They argue that your bank or credit card company doesn’t need to know the real name of your pet, or what street you actually grew up on. “That kind of information may be easily available on the web — on Instagram or Facebook, for example — if you tell the truth. But if you lie? You control the answer,” according to the Forbes story.
- The answers to the security questions might be readily available online if they have yet to be included in a data breach. Websites like Spokeo, Whitepages and FamilyTreeNow have an astounding amount of information about you that identity thieves would love to use for nefarious purposes. Our blogpost walks you through step by step how to remove your information from Family Tree Now.
So the next time you’re prompted to share your best friend in high school’s name (are you positive someone couldn’t figure that out based on your social media trail?) maybe you should switch it up and write in something ridiculous, like Marty McFly. And just why couldn’t your first car have been a DeLorean DMC-12?
Just be sure to remember the fake answers, or write them down and put them in a secure place.
Are you covered for identity theft?