Ex-Credit Card Thief Recommends Making Up Fake Answers To Security Questions

In an interview, a former credit card thief talks about some of the scams he used to run on unwary consumers. It’s got some good takeaways for protecting yourself, like the one where you make up fake answers to security questions. With all the info that can be found online now some of these security questions aren’t that hard to figure out. So instead of putting down the real answer to “What’s your mother’s maiden name?” put down “unicorn princess.”

Secrets of a Former Credit Card Thief [Yahoo] (Thanks to Newdreams!)

Comments

Edit Your Comment

  1. ParingKnife ("That's a kniwfe.") says:

    I put in icfjef8837yjdujdk2ik2kdj3uh7hd7

    …or something like that

  2. obits3 says:

    A had an account once that wanted me to make both the question and answer.

    Question: You know this.
    Answer: [Whatever my password was]

    • nbs2 says:

      But, what happens when you get asked the security question because you don’t remember your password?

    • Miss Dev (The Beer Sherpa) says:

      I like those. That way, you aren’t boxed in to something standard that is easy to guess. I had an account where the question I created was “where is the place where I put that thing that time?”

      I’m pretty sure that hackers aren’t going to guess that one readily…

    • Jason says:

      This is probably a bad idea. My guess is that these answers are often stored in plaintext in the database whereas your password should always be hashed before it is stored in the database. Some other sufficiently random string would work though.

      • coren says:

        Yes, although if someone has access to the plaintext database it really doesn’t matter what my info is, they have it.

        • edman007 says:

          The problem arises when you use the password in more than one place as they are able to extract the password and apply it to other sites, if you have a completely random password used only for that account then it doesn’t matter too much.

        • AustinTXProgrammer says:

          But if you use the password with other sites and banks, your p0wned even more!

    • Hawkins says:

      I love these (where you get to specify the question AND the answer).

      The best one I ever heard was this (note that the CSR has to read it to you verbatim):

      Question: “You’re not going out dressed like that, are you?”

      Answer: “You can’t tell me what to do! You’re not my real father!”

      • Big Mama Pain says:

        AHAHAHA, that’s so awesome!!! I have a username for one of my accounts for when they send text notifications to my phone, and I have it set for Sugartits; only time you’ll ever get a smile out of me owing someone money!!!

      • Rectilinear Propagation says:

        That is AWESOME.

    • ParingKnife ("That's a kniwfe.") says:

      Favorite Volcano:

      Eyafjallajökull

  3. stevied says:

    Your mother’s maiden name = dog’s maiden name

    still an unusual name and a whole lot easier to remember.

  4. ubermex says:

    I’ve been doing this for a while. I’ve had financial systems require security questions like “where did you go to high schoo” and “where is your hometown”

    Considering I’m 25 and haven’t left town, that’s not really security.

  5. danmac says:

    My trick is that when it asks me my favorite pet, I really tell it my second-favorite…you know, to trick the hackers.

    Plus, it makes my second-favorite happy to think I love him. Even though I don’t.

  6. macoan says:

    Yea…. and it’s fun when you call someone and they ask a security question like “where were you born” – and I get to say “North Pole”

    The hardest part about using made up information – when you first start since some accounts may have the old/real information, while newer accounts will have the creative ones.

    • Veeber says:

      Ah that’s when you use a password utility like 1password pro or KeePass

    • David in Brasil says:

      This happened once to me… I registered a business copy of Quickbooks and for my name I put Gojump Inalake. A year later I had some problem with it and called their Tech Service. They wouldn’t help me because they said that the registration had “an Indian name”, and i couldn’t remember it. Thankfully I called back and the next person I talked to figured the name out and gave me a hint.

  7. General Colon Power says:

    Hey wait a minute….. my mother’s maiden name IS “Unicorn Princess.” What’s going on here?

  8. SG-Cleve says:

    If you make up a fake answer then you have to remember it just like the password that you forgot.

    But I have been hacked by a friend who knew the real answers, so I guess security questions are not entirely useful.

    • alana0j says:

      I hacked into my sister’s email once by guessing the security questions, which I subsequently used to get into her Facebook to prove she stole my parents’ credit card.

      Or maybe I didn’t since it’s illegal..either way it sounds very plausible and easy to do, I agree with making up answers as long as you can keep them straight.

      OR have it be an honest answer but input it in pig latin.

  9. GreatWhiteNorth says:

    Great idea and one that I have been using for years. Especially since everyone and their brother seems to ask the same idiotic “security” questions. They should be insecurity questions – Mother’s maiden name? First school? First dog? etc.

    Best part of giving a false answer is if you craft it to be specific to each institution… much like passwords for websites. Have a core answer say “87654321″ and then for each instance use some part of their name in your answer. So, say for Bank of America your answer might be “87654321BOA”. This example is very obvious as to what is going on. Note that the core answer does not change and each institution modifies it. The modification can be, like my example, adding the initials to the core, or it could be adding the number for the length of the institutions name to the core (87654113) or adding the last letters… You don’t need to use their name either, you can use type of service (no not crappy vs good, but bank vs dry cleaner)… etc… etc…

    • Bunnies Attack! says:

      Yea… I’ve been doing this too (and still do) but I did realize a while ago that even though each password is unique, as soon as someone figures out one of them they can easily figure out the rest by deciphering the code.

      • TheWillow says:

        yeah but if you make the code something stupid (for example, for my bank account I use the letters from the name of the bank that my bank was before it god bought out.)

      • dangermike says:

        You’d be surprised how robust a simple alphabet cipher could be in such situation.

        • Jasen says:

          Totally.
          I use a physical keyboard cipher. My password formula is somewhat complex, and a couple characters are based on the name of the site.
          To use BOA as an example again, one trick I like is to offset the letters on the keyboard. For instance, maybe the first character is transposed with the key 2 to the left, so “B” becomes “M”.

          A cracker who had enough time, or examples of your passwords, would eventually figure it out, but it would be pseudo-random enough to discourage the average ID thief.

  10. yggdriedi says:

    When I signed up for PayPal recently I literally could not provide the two security questions they require. They give you a list of possible questions and don’t let you write your own, and of the questions based on facts, only one was relevant to me (dear PayPal: when you ask “who was your first roommate” you might want to keep in mind that not everyone has had a roommate!). The rest were questions based on opinion, and as I hope everyone knows, you should never use these because opinions can change. (“What would I have said my favorite movie was 5 years ago?”)

    I actually ended up just making stuff up and writing it down so I could check it later.

  11. smbizowner says:

    the first school I attended was closed, sold and converted to a convenience store.

    I’m more a numbers person, so I like to use a combination of old addresses dating back to my preschool youth. and the convenience store.

  12. Jevia says:

    I use an old boyfriend’s name/birthdate, etc. for security answers, pin numbers, etc. Go ahead hackers, try and figure out which old boyfriend I used.

  13. wickedpixel says:

    I answer the questions correctly but with a 6-digit number tacked onto the end, and use that same number for all my security questions. Easy for me to remember, difficult for someone else to figure out.

    • LastError says:

      All they need to do is obtain your answer for one site and they can extrapolate your answer for every OTHER site.

      Easy to discern patterns are as bad as no pattern.

  14. Azzizzi says:

    I’ve been doing this for more than 20 years. I think I did that even with my first credit card when they asked for my mother’s maiden name. Even then, I didn’t think that was very safe, considering that anyone who knows you would know that. It actually led to me being alerted when my wife called my bank for information. Even she couldn’t get past the security questions, like “What’s your wife’s middle name?” and “What city were you born in?”

    • k8supergrover says:

      If I was your wife and called and was asked “what is your wife’s middle name” gave my middle name and was told it was the wrong answer you would have bigger problems than someone trying to access your banking information! haha.

  15. axhandler1 says:

    I just use 12345678 for all of my passwords. Sometimes I like to change it up with 123456789.

  16. TooManyHobbies says:

    A bank I recently signed up with had a list of security questions that was probably 15 questions long. Lots of choice, right? Except that I didn’t know the answers to any of them, or they didn’t apply. Lots of them had to do with sports or something, and I don’t give a crap about sports and don’t know anything about them, even at the college I went to. So I pretty much HAD to pick one and make up an answer.

    My answers are sometimes “hell i don’t know” or something like that.

  17. catskyfire says:

    That’s great, until you can’t remember the fake answer.

    • kujospam says:

      Thats why it’s better to just let it be a swear word, then when you start cussing out the tech support person, they say congrats you got it.

  18. thor79 says:

    Yeah you just treat it like a second password. Either Non-sense answers (example: My user name is? BigWilly54) or just a completely random string of characters, then store that answer in a secure location for retrieval later.

  19. Nogard13 says:

    The easiest way to remember it is to come up with a word and use it as your answer, regardless of the question. For example:

    What’s the name of your first pet?
    – Juniper Berries

    What’s your mother’s maiden name?
    – Juniper Berries

    Etc…

    • Hawkins says:

      The problem with this approach is that if company #1′s database is compromised, and your answers are stolen, they can use them on Company #2′s web site.

      The only secure answer is KeePass, or something like it, to keep track of the different answers that you give for each different company. They don’t have to be hardcore, like 9jh^trfR4#ubnf, just different. So your mother’s maiden name is “Juniper Berries” for the bank, but “Jimson Weed” for the credit card company.

      • thor79 says:

        Security questions are so infrequently used, you might as well make it complex. If you’re not going to be able to remember either, you might as well make it something extremely difficult to guess.

  20. falnfenix says:

    “what is the name of your pet?”

    *lists ex boyfriend’s nickname*

  21. u1itn0w2day says:

    Already done. And remembering those answers is a pain at first but after more use they’re second nature.

  22. ahow628 says:

    I use LastPass and create a Secure Note for each of the accounts that requires security questions. Then I choose the first question and answer it with a random 20 character random answer. Good luck guessing that my high school mascot was a nSm37h3B587cdsT3q9Ss.

  23. prismatist says:

    I don’t see how that would help, since my mother’s maiden name *is* unicorn princess. It’s a hippie thing.

  24. Giveaflying says:

    a friend once answered the question “what is your mothers maiden name” with Patel and got into someone elses AMEX account.

  25. Warren - aka The Piddler on the Roof says:

    I use answers stolen from known credit card thieves. They’re the last answers they ever expect.

  26. Rectilinear Propagation says:

    With all the info that can be found online now some of these security questions aren’t that hard to figure out.

    Some? Has anyone ever seen a pre-determined security question that was actually good?

    Mother’s maiden name is the worst.
    1) Since when is that secret information?
    2) My mom didn’t change her name.
    3) Why are you assuming everyone had a mom? There are single fathers and kids who don’t get adopted.

    I have also run into the same problem TooManyHobbies and yggdriedi did: I’m not into sports and this one web site used sports for *all* of the available security questions. It’s a good idea to make up the answers but they force you to anyway.

  27. markmark says:

    You shouldn’t put real passwords in these question answer challenge boxes. Those most likely are not stored encrypted.

  28. jjmcubed says:

    Not sure if this has been said or not, but my wife and I use a phase we both know. For instance, lets say your first born first steps were Jan 1, 2011. The phase you can use is “Jane’s First Step Was January 1, 2011. In this case the password is jfswjf2011!. You can use any phrase that is important, and or you both will remember.

  29. Cyniconvention says:

    “Where did you go to high school?”

    Hogwarts.

    “What is your mother’s maiden name?”

    Everdeen

    “What is your hometown?”

    Fowl Manor, eastern Ireland.

    Simple stuff.

  30. duncanblackthorne says:

    Duh. You mean people haven’t been doing this all along? *facepalm*
    Seriously, people. Think of them as passwords or passphrases, not factual information. You can make the answers anything you want them to be, even if it makes no sense whatsoever.

  31. yessongs says:

    So my mother is a Unicorn Princess? I don’t think so…..

  32. yessongs says:

    I just use the combination to my luggage… 123456

    • LastError says:

      Combination luggage locks are no match for an ink pen.

      And yes, that’s the combination to MY luggage too. Dammit!

      But I just use the ink pen and never need the numbers.

  33. Ragman says:

    20 years ago, my dad (who is NOT online) told me how he thought using your mother’s maiden name wasn’t very good security, and that he bumped it up the ancestral chain a couple of generations for a name to use that a thief wouldn’t guess.

  34. LastError says:

    Something to think about as you go through life: to whom do you owe the truth? Everyone else (which is nearly everyone) can just deal with crap you make up.

    Any online form or security question will work just as well with a mother’s maiden name of macaroniancheese or Smith, but it’s not likely someone will social engineer the right answer. This kind of thing will stop them dead. Good stuff.

  35. Rhinoguy says:

    On my very first credit card the security answer to “Mother’s Maiden Name” was “I don’t know”. The idiot on the phone wrote that down and I was stuck with it until the bank was bought out.
    One of my more recent answers was to the question “What is your favorite car”. I put down REO Flying Cloud. I saw one at a car show a long time ago.
    Hide your secrets in plain site, and change it from time to time. I used to keep my codes on a label that covered the original label of a 78 rpm record hung in a frame on the wall. It’s a copy of Bing Crosby singing White Christmas. Maybe I’ll use the hubcap some time…

  36. Razor512 says:

    My secret questions are so secret, I don’t even know the answers, I simply press random keys on the keyboard without thinking.
    So if a question like
    What’s your mother’s maiden name? comes up, I will put something like

    uyefgjdfghjfdhjfdhjuki

    I feel that the security questions will be more secure if even I don’t know them and any account I ever made that asked it has always gotten a random answer.

  37. Rena says:

    My “security question”, if they let me write one, is usually “Why aren’t you looking up the password in your encrypted database?”. The answer tends to be a random string which is also saved, just in case something goes horribly wrong. (I’ve had systems accept a complex password only to then tell me it was invalid and have to reset it right away, more than a couple times.)

  38. Willow16 says:

    Whenever a birthday is requested, I give my sister’s. It’s easy to remember but it’s not mine.

  39. brianguyy says:

    never use your actual mother’s maiden name. ever! I can’t believe companies still offer this as one of the choices, but the former theif shows how it can be used properly I guess. still, they should do away with it.

    I do like the “make up fake answers” idea, but it’s not without flaws. you have to make sure to remember the fake answers you gave, or else you could have a problem down the road.

    another possible suggestion, if you have a problem remembering fake answers, is to use real answers, but use a different question for every bank account, credit card, investment account, retirement account, that you have. for example, your first grade teachers name for your 401k, and your first pet’s name for your savings account. use as many varied questions as possible that won’t be tracked in publically available sources. then that way if one company has a security breach and their database is compromised, you’re still safe.

  40. TWSS says:

    I just answer them all the same for each institution. For one bank, my favorite color, sports team, and mother’s maiden name are all “Spiderman”. For another, my favorite food, first car, and maid of honor at my wedding are all “Lee Marvin”.

    Not as secure as mixing them all up for each institution, but it’s easy for me to remember and hard for a potential hacker to figure out.

  41. greyfots says:

    one of my secret questions i had a long time ago was:
    secret question: “First job?”
    Secret Answer: “blow”

  42. Alex says:

    Ok… changed all security question answers to “unicorn princess”

    Now I am safe!

  43. Invalid_User_Name says:

    Wait, some of you actually use your real answers?

  44. psyonn says:

    Been doing this for years. I used to always give random answers, but then I needed to know them a few years ago when I had an issue with a Credit Card. Now I have specific made up answers to 3 standard questions.

  45. Saltpork says:

    I know this may sound crazy but I have only 2 passwords I use online for all my financial stuff.
    Yes, my passwords are secure & no I don’t include personal info in them.

    The thing is that I only use 1 credit card with less than a thousand dollar limit & identity theft protection for all online purchases.
    Paypal, Newegg, Bills, etc. All 1 card. None of my other financial life transpires online. None.