Dedicated to Deposits: Deals, Data, and Discussion
Featured Savings Rates
Featured Accounts
Back to Comments and Questions

Hacker Used Facebook To Break Into Bank Accounts

Wednesday, August 17, 2011 - 5:25 AM
This Telegraph article reports on a British hacker who broke into his neighbors' online bank accounts after working out the answers to their security questions from information they posted on Facebook and Friends Reunited.

This is one issue with these bank security questions. People who know too much about you may be able to answer them. That's one reason to avoid posting personal type of info on Facebook and other sites.
3
Ken TuminKen Tumin5,442 posts since
Nov 29, 2009
Rep Points: 123,702
1. Wednesday, August 17, 2011 - 8:34 AM
It's also a good idea to avoid those "innocent" Emails from friends which ask you for personal information such as favorite color, favorite movie, first place you worked, model of your first car, name of your favorite teacher in high school etc for the purpose of getting to know you better.  A friend's Email might have been breached and those are security-type questions used at many institutions in order to confirm identity. 
3
pearlbrownpearlbrown1,356 posts since
Nov 2, 2010
Rep Points: 5,955
2. Wednesday, August 17, 2011 - 9:14 AM
There is another strategy to enhance your security question info. -- deliberately use false answers! Just make sure you remember what they are!
6
WilWil242 posts since
Feb 26, 2010
Rep Points: 1,281
3. Wednesday, August 17, 2011 - 10:48 AM
@Wil, I agree.  I vary the answers widely so there are at least 7 different answers to questions about my Mom's maiden name, and 10 different answers to the name of the first company in which I worked, etc.  However, my memory is poor, so my solution is to keep the answers for each institution in a spreadsheet which references a second one where the actual responses are kept, and they are never the correct information. 

For example:  Spreadsheet 1:  Institution:  Bank of this and that                   Mother's maiden name:  3   First job:  1

There is a separate spreadsheet where I keep the answers:     Mother's maiden name #3 = Adams                First job #1 = McDonalds

The two spreadsheets are kept physically separate, so someone would have to understand the scheme and go to a lot of trouble to connect the two. 

A bit geeky ;) but this scheme works for me and the number of combinations possible ensures no two financial institutions have the same answers.   
 
3
pearlbrownpearlbrown1,356 posts since
Nov 2, 2010
Rep Points: 5,955
4. Wednesday, August 17, 2011 - 3:08 PM
@pearlbrown,

My head is spinning with all this talk about needing spreadsheets to keep track of all the different answers to the same questions (and I haven't had a drink yet today).  Imagine what a Warren Buffett or Bill Gates spreadsheet would look, if they employed the same system.  They most likely would need a software program to decipher theirs.

BTW, I hope you backup your work daily or whenever you make any changes.  Otherwise, if you crash you're up s***s creek.  And make sure any hard copies are locked up in a vault, just in case you have a break-in.

Other than that, it sounds like a great system! SE2E
3
WhataBummerWhataBummer413 posts since
Oct 15, 2010
Rep Points: 1,702
5. Wednesday, August 17, 2011 - 9:09 PM
@WaB, I am sure those distinguished gentlemen not only have more sophisticated mechanisms but also a small army of people dedicated to ensuring their accounts are locked down tight.  The Oracle from Omaha isn't likely to keep his money in a number of RCAs with small caps - but in a select few accounts with balances larger than the GDP of some small countries and closely monitored by several members of his staff around the clock.  :D

The suggestion to create a fake identity is good and adds a level of complexity, but if you use the same info everywhere, as the article points out most people tend to do, it defeats the purpose.  That is why I not only have fake answers, but I also change them for each institution.  If one account were to be breached, the crooks would be unable to access other accounts (assuming they could figure out where they are) using the same answers.  In other words, if the account for which the security answers are "Adams" and "McDonalds" is breached, they will not be able to breach any other account because those answers are unique to that account.

Nothing is foolproof - my approach hopefully raises the level of frustration to an extent that a hacker might move on to an easier target, but a determined hacker would be nearly impossible to stop.
3
pearlbrownpearlbrown1,356 posts since
Nov 2, 2010
Rep Points: 5,955
6. Wednesday, August 17, 2011 - 10:15 PM
@pearlbrown, perhaps nonsensical answers might work even better. For example: favorite color = Cloud, or mother's maiden name = Xylophone, etc.
3
WilWil242 posts since
Feb 26, 2010
Rep Points: 1,281
7. Wednesday, August 17, 2011 - 11:03 PM
@Wil - combinations of nonsense answers which are unique to each account - I like it a lot!  It's a fiendishly clever solution - a hacker might quickly realize it wouldn't be a run-of-the-mill breach and abandon the attempt in the hopes of finding an easier target. 

I have only encountered one institution which forces a selection of favorite color from a discrete list (red, orange, yellow, etc), but otherwise "cloud" would work as a favorite color, and of course there should be no restrictions on mother's maiden name.   As a bonus, "Xylophone" as a mother's maiden name might give a stressed-out CSR a good chuckle and a funny "You'll never believe what my customer did" story to share with others.  :D 
2
pearlbrownpearlbrown1,356 posts since
Nov 2, 2010
Rep Points: 5,955
Reply