Banks might not need as much convincing that challenge questions based on shared secrets aren’t safe since the FFIEC’s updated guidelines came out saying as such, but there are other industries – like healthcare and ecommerce, that still need to take heed.
A California man who trolled women’s Facebook pages searching for clues that allowed him to take over their email accounts was sentenced Friday to more than four years in state prison after a judge rejected a plea for a lighter sentence and likened the man to a peeping Tom.
Once he took over women’s email accounts, George Bronk searched their folders for nude or semi-nude photographs or videos sent to their husbands or boyfriends and distributed the images to their contact list, prosecutors said.
The emails went to families, friends and coworkers. Women in 17 states, the District of Columbia and England were victimized.
The case illustrates the vulnerability of all Internet users, said prosecuting attorney Robert Morgester of the state attorney general’s office.
“The victims we went to said I had very robust passwords. But it didn’t matter how robust the password was if the recovery question is easy,” he said. “Lost your password? What’s your favorite color or what high school did you go to? Or what’s your dog’s name? And he was able to glean that information from social media.”
And there it is. The realization of one of the dangers of shared secrets that we’ve been pointing out at IDology during the last few years.
This guy is only an amateur — he admittedly did what he did because he thought it was funny and he was bored. If he succeeded in cracking shared secrets, don’t you think sophisticated fraudsters can too?
The FFIEC gets it. They’ve told banks to use more sophisticated authentication technologies, like out-of-wallet questions instead of shared secrets. If this authentication method isn’t safe enough for your bank to use anymore, then it isn’t safe for your business either.