If you aren’t famous enough to be a target, you may still be a victim of a mass data breach. Whereas passwords are usually stored in hashed or encrypted form, answers to security questions are often stored — and therefore stolen — in plain text, as users entered them. This was the case in the 2015 breach of the extramarital encounters site Ashley Madison, which affected 32 million users, and in some of the Yahoo breaches, disclosed over the past year and a half, which affected all of its three billion accounts.
The Equifax breach this year may have revealed some users’ security questions and answers outright, and it certainly gave thieves enough personal information to answer common questions. TransUnion evidently did not heed this warning: Users wishing to freeze their credit files in the wake of the Equifax breach have to create an account, and to do so they must choose a security question, such as “What city were you born in?”
According to Troy Hunt, a cybersecurity expert, organizations continue to use security questions because they are easy to set up technically, and easy for users. “If you ask someone their favorite color, that’s not a drama,” Mr. Hunt said. “They’ll be able to give you a straight answer. If you say, ‘Hey, please download this authenticator app and point the camera at a QR code on the screen,’ you’re starting to lose people.” Some organizations have made a risk-based decision to retain this relatively weak security measure, often letting users opt for it over two-factor authentication, in the interest of getting people signed up.
Security questions ask for something you know about yourself, and to be even moderately secure, they should ask for something only you know. It’s exceedingly difficult to design questions that do this. Many security questions ask for biographical information that is publicly available, whether in open records or via social media: where you were married, your first phone number, your paternal grandfather’s middle name.
Aside from these questions’ vulnerability to a little research (to say nothing of nosy parents or malicious exes), none of them are relevant to all adults. How many of us can answer the premillennial “What city were you in to celebrate the year 2000?” or “What year did you take out your first mortgage?” And how many Indian- or Brazilian-born users went to a high school without a mascot, or grew up on a street with no name? How many of our…