Hacker News new | ask | show | jobs
by ceejayoz 2843 days ago
I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.

Lately, I've been making up a seemingly correct, but random response (and different each time). My favorite vegetable? Sea cucumber! I store that in my password manager.
2 comments
thaumasiotes 2843 days ago
> I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.

I can confirm that this is the case. I provided a gibberish answer to a security question for Blizzard. I didn't bother to write it down, relying on not forgetting my password.

I never forgot my password, but Blizzard shut down my account anyway because I was making payments with a card that was not listed as the account's "primary payment method". (The card I was using was listed on the account, but another card was the "primary payment method".) When I had to call support and answer my security question, the answer I'd filled in just meant that I wasn't required to provide the correct answer.

link
zifnab06 2843 days ago
I've found it's better to give them correct answers that are entirely fake. The make of your first car is an astin Martin. Your nearest sibling lives in lunar colony 1.

This way "it's a bunch of gibberish" doesn't get past their security.

link
metafunctor 2843 days ago
I use something like this: “the secret password is tango-seven-alpha-romeo-zero-zero-victor-sierra-foxtrot-quebec".

Never had to use these for real yet, but it should be a bit harder to be seen as a “a bunch of gibberish”.

link
ceejayoz 2843 days ago
"Oh shoot, it was a bunch of random words. I'm so sorry, I had it written down but I can't find the paper..."

Remember, an attacker can call support hundreds of times, getting a different rep every time. There's a good chance it'll work eventually.

link
metafunctor 2843 days ago
Seems to me like that’s not really a criticism against using random answers for secret questions.
link
ceejayoz 2842 days ago
Clearly random answers are a problem. You're going to find support reps inclined to accept "oh it's just something random", which means you're guaranteed get compromised if you're a big enough target to spend some hours on.

Random but outwardly appearing valid ones are fine (but you'd want to avoid using the same answer on different sites). One site's "first car" could be Porsche 911, another's Aston Martin. Both aren't true, but the support rep doesn't know that.

link