Unsafe security questions
Old fashioned ‘hacking’… A gambling addict in the UK showed how easy it is to circumvent some bank’s security controls. He collected a lot of personal information of random individuals; he researched details such as mothers’ maiden names and people’s first schools at the General Register Office for Scotland in Edinburgh. After having retrieved a bunch of personal (but not all too personal) info for $15 a day he called the bigger banks in Scotland and pretended to be a client that lost his card. With the collected information he was able to answer the commonly asked security questions (what is your mother’s maiden name, what was your first school etc). After running this scheme for 7 years he was caught after a bank clerk checked his signature against the actual client’s signature, noticed the difference and informed the police. The suspect: “I gave them a name and answered the security questions. That’s just date of birth, mother’s maiden name, that’s all at General Registry House (open source information). “Most people in Scotland will either have a Bank of Scotland or a Royal Bank of Scotland account so I tried calling them.” A police spokesman was “horrified” at the security measures guarding bank accounts. The suspect did not play the major fraud league but earned around $10.000 in 5 days. Not bad for a gambler.
Remember the security questions/answeres you probably entered multiple times when registering online for email accounts or services? Same thing… how difficult is it for criminals browsing LinkedIn, Facebook, Myspace and offline publicly available sources to get enough personal information to access your accounts using the ‘forget password’ procedure ? Apparently it is not difficult; just as easy as accessing your bank account.
