EEJournal

feature article
Subscribe Now
May 26, 2016

Challenging Challenge Questions

Do They Really Provide the Best Security?
by Bryon Moyer

The developed world – particularly the US – is a complex environment replete with residents from diverse places and backgrounds with widely differing experiences. But it’s not a homogeneous mix: cities will be more diverse than rural areas, and, even within cities, you’re going to get clusters of people with shared characteristics.

Well, there appears to be a cluster of people – not sure where – that have the following traits:

  • They’ve lived in one place, and they went to one set of schools.
  • They’ve had one set of friends for their entire life.
  • They have clear favorites of everything. And those favorites never change, ever. By the time they’re 25, they have a favorite pet, movie, book, teacher, TV show, musician, song, everything. And even though they have 60 years ahead of them, those favorites will stick.

Who are these people? They’re the ones deciding the challenge questions for your secure log-in. The questions are mostly used for confirmation that you’re who you say you are if you need to change your password or do some other ultra-privileged thing.

Other sites use them more intrusively. With my credit union, if I log out and then log back in again within an hour (or some period), it wants confirmation that I’m still me. Or at random other times when trying to do something, it will interfere with a challenge question even though I’ve checked that box saying, “Yes, this is still my private computer, just like it was 10 minutes ago. No, I’m not being burgled.”

In theory, this would seem to be a reasonable idea. If you want to prove that you’re you, then provide some information that only you would know. It sounds good up until you’re provided with the opportunity to set up your personal questions and answers. That’s when the trouble starts.

I don’t want to come across like some emo goth who’s simply too complex to have his essence captured and reduced to three banal questions. But I always tense up when the time comes to find my personal questions: will I be able to find three with unambiguous, lasting, memorable answers? I always come away feeling like the question-selectors came from some small-town cluster where everyone was the same and life was uncomplicated by complex options.

You might as well have questions like,

  • What’s your favorite model of Mercedes?
  • Which is your favorite Shoney’s?
  • Who makes the best hot dish?
  • What’s your favorite breed of cattle?

If you’re not in a suitable population cluster from the Bay Area or Connecticut or the South or Minnesota or Nebraska or Texas, you’re not likely to find a suitable question in that mix.

There are three main weaknesses to most of the options.

  • They don’t reflect your life. “What’s your spouse’s favorite color?” – when you’re not married.
  • You can find a question for which you have a definite answer at that moment, but the answer will change according to your mood or after you read a book that’s even better than your last fave.
  • You don’t have an obvious answer, so you have to just pick one – and you may not remember your random selection when you need it.

For any individual, any given question might be irrelevant, of course, and so there’s a selection of questions – with the expectation that everyone will be able to find three that work. But each time, I barely skate by with three questions that I can use, and I’ve wondered when the time would come that I couldn’t find three questions with unambiguous answers.

My luck finally ran out the other day when an airline for which I’m a frequent flier – or, rather, used to be a frequent flier – suddenly needed me to upgrade my security. (As always, these things are “URGENT, MOST DO IMMEDIATELY!”) And this time there was a twist: no more having to come up with answers. They provided not only the question options, but the answer options too.

So even if I could find a question with a solid answer, if it wasn’t one of the answers they offered up, it wouldn’t work. And I needed not 3, but 5 questions. And each question drew from the same list (some sites have a different list for each question). It’s like their IT department got spanked for lax security and said, “OK, you want tight? I’ll give ya tight!” For the first time ever, I aborted the process.

I have to say, they did do some work trying to come up with exhaustive answer lists. Here are the questions:

 Figure_1.png

Heavy on the favorites (something that doesn’t do well for me because of that changing-with-mood-and-context thing.  My favorite kind of food, for example, depends on whether I’m in Boston, Austin, or San Francisco).

If we look into the first question, it’s pretty unambiguous: we all had a first car. Unless, that is, we’ve never had a car. Yes, there are people leading totally carless lives. The list of automobile options is pretty extensive; I don’t know if everything is there, but this is one question I could go with.

Figure_2.png 

(And no, I don’t have a Lancia.)

But what about the career dreams of children?

Figure_3.png 

Really? Kids grow up dreaming of being ad execs? Go Mad Men! But what if I grew up wanting to be a bounty hunter? Or a bail bondsman? Not on the list… no can do.

Heck, I can just see it now:

  • What’s your mother’s maiden name?
    • Smith
    • Andrews
    • Jones
    • Taylor
    • [other Anglo names]

Up to this point, this is just me snarking and whining about how I’m too special to submit to such simplistic questions (and answers). But I’ve always thought there’s a better way to do this, even when you have only a question list to pick from. Even more so when you get an answer list as well.

If the whole idea here is to identify something that only you know uniquely, then the best questions and answers would be uncommon – ones that would not likely be on anyone’s list of obvious questions and answers.

I don’t specifically know how these things are stored, but if someone can hack the question options, then they’re part way to breaking the security. If they can now also hack the answer options, then they can, in theory, brute force their way through the answers until one works. A sophisticated system would notice such behavior, but are these systems sophisticated?

As it is, an intruder can learn the candidate questions (and answers) by creating a bogus account and capturing all of the question (and answer) options. From there, a determined soul could do some research about a target individual, toss in a dash of trial and error, and doors might open. That may not be a high-volume break-in, but it’s still a break-in. (And the low volume thing might reflect only my limited imagination.)

Here’s a better way: let us come up with our own questions and answers. I can’t say what my favorite pet was, but I can answer definitively, “What was the name of your pet that consistently pooped under the piano when you were around 9 years old?” Funny… I’ve never seen that question on any list.

And that’s just the point. If a would-be intruder has absolutely no knowledge of what the questions are going to be (much less the answers), then it’s going to be even less likely that they can break in. Granted, the way these work, you’re presented with a question, so, on the surface, hacking a question might not be an issue. Then again, I’m not a hacker, and I’m constantly amazed at the indirect and unobvious ways people break into things. Apparently, security folks are similarly amazed (as they rush to patch unobvious vulnerabilities).

I’ve actually thought this for years, but I wasn’t spurred to action (if you can call writing a rant “action”) until the answer list thing reared its head. And some of those thoughts consisted of wondering why the create-your-own-question thing wasn’t an obvious solution.

The only thing I’ve been able to come up with is that, with pick lists, you can store the answers as indexes. I don’t know if that’s how it’s done, but, since that uses little memory, you could envision that being the answer.

Saving a created question, of course, requires storing – and hashing – all that text. But in an era of big data, that amount of data officially qualifies as mice n…oses.

There is one possible other reason: perhaps lots of people don’t want to think hard enough to come up with questions. So, to cover this case, you could have a list of pre-canned questions with a “create your own” option at the end for those of us unsatisfied with our selections. Kind of like a pizza menu.

I don’t know if there’s some other barrier (please feel free to answer in comments if there’s more to this); seems pretty straightforward to me. I’ll even trot out the five deadliest words in business: “How hard can it be?”

OK, so I’ve finally gotten this off my chest. Have you had similar experiences? Do you belong to a population cluster that’s poorly represented in challenge questions? What’s your favorite challenge question? (Oo! Oo! That should be a challenge question! It’s so meta!) If you have some good challenge question stories, please do share them with us in the comments.

16 thoughts on “Challenging Challenge Questions”

  2. Pingback: Dungeon
  3. Pingback: fast seedbox
  4. Pingback: Pendaftaran CPNS Kemenkumham
  5. Pingback: Togel Guangzhou
  6. Pingback: jeux de friv
  7. Pingback: cosmetic dental tooth implant Boynton
  8. Pingback: friv 1
  9. Pingback: wiet
  10. Pingback: agen poker terpercaya
  11. Pingback: Wedding Planners in Hyderabad
  12. Pingback: lose weight legs
  13. Pingback: Dokter kebidanan dan kandungan tangerang
  14. Pingback: Aws alkhazrajii
  15. Pingback: Challenging Challenge Questions – NewsTakers
  16. Pingback: Challenging Challenge Questions - NewsTakers

Leave a Reply

featured blogs
BoardSurfers: Training Insights: Design Effortlessly Using Structures in Allegro X
Apr 25, 2024
Structures in Allegro X layout editors let you create reusable building blocks for your PCBs, saving you time and ensuring consistency. What are Structures? Structures are pre-defined groups of design objects, such as vias, connecting lines (clines), and shapes. You can combi...
More from Cadence...
Want to Mix and Match Dies in a Single Package? UCIe Can Get You There
Apr 25, 2024
See how the UCIe protocol creates multi-die chips by connecting chiplets from different vendors and nodes, and learn about the role of IP and specifications.The post Want to Mix and Match Dies in a Single Package? UCIe Can Get You There appeared first on Chip Design....
More from Synopsys...
One Robotic Step Closer to Humanoid Robots in the Home
Apr 18, 2024
Are you ready for a revolution in robotic technology (as opposed to a robotic revolution, of course)?...
More from Max's Cool Beans...

featured video

How MediaTek Optimizes SI Design with Cadence Optimality Explorer and Clarity 3D Solver

Sponsored by Cadence Design Systems

In the era of 5G/6G communication, signal integrity (SI) design considerations are important in high-speed interface design. MediaTek’s design process usually relies on human intuition, but with Cadence’s Optimality Intelligent System Explorer and Clarity 3D Solver, they’ve increased design productivity by 75X. The Optimality Explorer’s AI technology not only improves productivity, but also provides helpful insights and answers.

Learn how MediaTek uses Cadence tools in SI design

featured paper

Designing Robust 5G Power Amplifiers for the Real World

Sponsored by Keysight

Simulating 5G power amplifier (PA) designs at the component and system levels with authentic modulation and high-fidelity behavioral models increases predictability, lowers risk, and shrinks schedules. Simulation software enables multi-technology layout and multi-domain analysis, evaluating the impacts of 5G PA design choices while delivering accurate results in a single virtual workspace. This application note delves into how authentic modulation enhances predictability and performance in 5G millimeter-wave systems.

Download now to revolutionize your design process.

featured chalk talk

Gas Monitoring and Metering with Sensirion SFC6000/SFM6000 Solutions
Sponsored by Mouser Electronics and Sensirion
In this episode of Chalk Talk, Amelia Dalton and Negar Rafiee Dolatabadi from Sensirion explore the benefits of Sensirion’s SFM6000 Flow Meter and SFC Flow Controller. They examine how these solutions can be used in a variety of applications and how you can get started using these technologies for your next design.
Click here for more information about Sensirion SFC6000D Mass Flow Controllers
Jan 17, 2024
14,168 views