In an interview, a former credit card thief talks about some of the scams he used to run on unwary consumers. It’s got some good takeaways for protecting yourself, like the one where you make up fake answers to security questions. With all the info that can be found online now some of these security questions aren’t that hard to figure out. So instead of putting down the real answer to “What’s your mother’s maiden name?” put down “unicorn princess.”
Secrets of a Former Credit Card Thief [Yahoo] (Thanks to Newdreams!)
More From Consumerist
-
Woman Tracks Down Her Stolen Wallet On A Hunch, Catches Thief Using Her Debit Card
-
VUDU Alerts Customers To Theft Of Hard Drives Containing Personal User Info
-
Credit-Repair Scammers Hit With $7.4 Million Penalty, Continued To Break Law
-
HSBC Really Wants Your Cellphone Number To Alert You To Suspicious Activity (Oh, And Also To Make Collections Calls)
-
How Complaints At A Restaurant In Seattle Led To Arrest Of Alleged Credit Card Hacker In Romania
I put in icfjef8837yjdujdk2ik2kdj3uh7hd7
…or something like that
seems like it’ll be fun recalling that when they ask you for it!
keepass ftw!
A had an account once that wanted me to make both the question and answer.
Question: You know this.
Answer: [Whatever my password was]
But, what happens when you get asked the security question because you don’t remember your password?
Hypnosis…
I like those. That way, you aren’t boxed in to something standard that is easy to guess. I had an account where the question I created was “where is the place where I put that thing that time?”
I’m pretty sure that hackers aren’t going to guess that one readily…
Please tell me the answer is “That’s what she said.”
Like everyone wouldn’t immediately know that the the answer “the medicine cabinet”…
This is probably a bad idea. My guess is that these answers are often stored in plaintext in the database whereas your password should always be hashed before it is stored in the database. Some other sufficiently random string would work though.
Yes, although if someone has access to the plaintext database it really doesn’t matter what my info is, they have it.
The problem arises when you use the password in more than one place as they are able to extract the password and apply it to other sites, if you have a completely random password used only for that account then it doesn’t matter too much.
But if you use the password with other sites and banks, your p0wned even more!
I love these (where you get to specify the question AND the answer).
The best one I ever heard was this (note that the CSR has to read it to you verbatim):
Question: “You’re not going out dressed like that, are you?”
Answer: “You can’t tell me what to do! You’re not my real father!”
AHAHAHA, that’s so awesome!!! I have a username for one of my accounts for when they send text notifications to my phone, and I have it set for Sugartits; only time you’ll ever get a smile out of me owing someone money!!!
That is AWESOME.
Favorite Volcano:
Eyafjallajökull
Your mother’s maiden name = dog’s maiden name
still an unusual name and a whole lot easier to remember.
Where did your dog get married?
Technically she had puppies out of wedlock, but she thinks of her stud as her man so we humour her and say she got married.
common law marriage?
Common paw marriage.
very good
“Paws” Vegas…they eloped
also use my 3rd grade teacher’s name
Translated from her native tongue it was Miss Octopuskiller
it is just too weird and unforgetable. I use the original language version.
Another favorite question: What was your high school pad lock combination
I couldn’t even remember that in high school.
“pennied”
“Your mother’s maiden name = dog’s maiden name”
No, no. That’s mother-in-LAW’S maiden name
I’ve been doing this for a while. I’ve had financial systems require security questions like “where did you go to high schoo” and “where is your hometown”
Considering I’m 25 and haven’t left town, that’s not really security.
My trick is that when it asks me my favorite pet, I really tell it my second-favorite…you know, to trick the hackers.
Plus, it makes my second-favorite happy to think I love him. Even though I don’t.
You just made my Friday – thank you.
Until he reads this.
Yea…. and it’s fun when you call someone and they ask a security question like “where were you born” – and I get to say “North Pole”
The hardest part about using made up information – when you first start since some accounts may have the old/real information, while newer accounts will have the creative ones.
Ah that’s when you use a password utility like 1password pro or KeePass
This happened once to me… I registered a business copy of Quickbooks and for my name I put Gojump Inalake. A year later I had some problem with it and called their Tech Service. They wouldn’t help me because they said that the registration had “an Indian name”, and i couldn’t remember it. Thankfully I called back and the next person I talked to figured the name out and gave me a hint.
Hey wait a minute….. my mother’s maiden name IS “Unicorn Princess.” What’s going on here?
Wait: Are you my long-lost brother?
Funny, my childhood pet’s name was Unicorn Princess.
If you make up a fake answer then you have to remember it just like the password that you forgot.
But I have been hacked by a friend who knew the real answers, so I guess security questions are not entirely useful.
I hacked into my sister’s email once by guessing the security questions, which I subsequently used to get into her Facebook to prove she stole my parents’ credit card.
Or maybe I didn’t since it’s illegal..either way it sounds very plausible and easy to do, I agree with making up answers as long as you can keep them straight.
OR have it be an honest answer but input it in pig latin.
Great idea and one that I have been using for years. Especially since everyone and their brother seems to ask the same idiotic “security” questions. They should be insecurity questions – Mother’s maiden name? First school? First dog? etc.
Best part of giving a false answer is if you craft it to be specific to each institution… much like passwords for websites. Have a core answer say “87654321″ and then for each instance use some part of their name in your answer. So, say for Bank of America your answer might be “87654321BOA”. This example is very obvious as to what is going on. Note that the core answer does not change and each institution modifies it. The modification can be, like my example, adding the initials to the core, or it could be adding the number for the length of the institutions name to the core (87654113) or adding the last letters… You don’t need to use their name either, you can use type of service (no not crappy vs good, but bank vs dry cleaner)… etc… etc…
Yea… I’ve been doing this too (and still do) but I did realize a while ago that even though each password is unique, as soon as someone figures out one of them they can easily figure out the rest by deciphering the code.
yeah but if you make the code something stupid (for example, for my bank account I use the letters from the name of the bank that my bank was before it god bought out.)
I knew it! The banks really are in control of everything!
You’d be surprised how robust a simple alphabet cipher could be in such situation.
Totally.
I use a physical keyboard cipher. My password formula is somewhat complex, and a couple characters are based on the name of the site.
To use BOA as an example again, one trick I like is to offset the letters on the keyboard. For instance, maybe the first character is transposed with the key 2 to the left, so “B” becomes “M”.
A cracker who had enough time, or examples of your passwords, would eventually figure it out, but it would be pseudo-random enough to discourage the average ID thief.
When I signed up for PayPal recently I literally could not provide the two security questions they require. They give you a list of possible questions and don’t let you write your own, and of the questions based on facts, only one was relevant to me (dear PayPal: when you ask “who was your first roommate” you might want to keep in mind that not everyone has had a roommate!). The rest were questions based on opinion, and as I hope everyone knows, you should never use these because opinions can change. (“What would I have said my favorite movie was 5 years ago?”)
I actually ended up just making stuff up and writing it down so I could check it later.
You could always go the Odysseus route and answer &147;nobody”.
the first school I attended was closed, sold and converted to a convenience store.
I’m more a numbers person, so I like to use a combination of old addresses dating back to my preschool youth. and the convenience store.
I use an old boyfriend’s name/birthdate, etc. for security answers, pin numbers, etc. Go ahead hackers, try and figure out which old boyfriend I used.
I guess it depends if you are a woman if ill-repute. JK
Then all her boyfriends would be named John
Don’t you mean “Refude”?
/bad Sarah Palin joke.
good to know I wasn’t the only one thinking the same…
This wouldn’t work for me.
I had two of them and I don’t remember the name of the first.
eh eh eh eh
I answer the questions correctly but with a 6-digit number tacked onto the end, and use that same number for all my security questions. Easy for me to remember, difficult for someone else to figure out.
All they need to do is obtain your answer for one site and they can extrapolate your answer for every OTHER site.
Easy to discern patterns are as bad as no pattern.
I’ve been doing this for more than 20 years. I think I did that even with my first credit card when they asked for my mother’s maiden name. Even then, I didn’t think that was very safe, considering that anyone who knows you would know that. It actually led to me being alerted when my wife called my bank for information. Even she couldn’t get past the security questions, like “What’s your wife’s middle name?” and “What city were you born in?”
If I was your wife and called and was asked “what is your wife’s middle name” gave my middle name and was told it was the wrong answer you would have bigger problems than someone trying to access your banking information! haha.
I just use 12345678 for all of my passwords. Sometimes I like to change it up with 123456789.
That’s incredible. I have the same combination on my luggage!
That’s incredible! That’s the same password I use for my Gawker accounts!
A bank I recently signed up with had a list of security questions that was probably 15 questions long. Lots of choice, right? Except that I didn’t know the answers to any of them, or they didn’t apply. Lots of them had to do with sports or something, and I don’t give a crap about sports and don’t know anything about them, even at the college I went to. So I pretty much HAD to pick one and make up an answer.
My answers are sometimes “hell i don’t know” or something like that.
“Who was your favorite running back from the 1974 expansion draft?”
That’s great, until you can’t remember the fake answer.
Thats why it’s better to just let it be a swear word, then when you start cussing out the tech support person, they say congrats you got it.
Yeah you just treat it like a second password. Either Non-sense answers (example: My user name is? BigWilly54) or just a completely random string of characters, then store that answer in a secure location for retrieval later.
The easiest way to remember it is to come up with a word and use it as your answer, regardless of the question. For example:
What’s the name of your first pet?
– Juniper Berries
What’s your mother’s maiden name?
– Juniper Berries
Etc…
The problem with this approach is that if company #1′s database is compromised, and your answers are stolen, they can use them on Company #2′s web site.
The only secure answer is KeePass, or something like it, to keep track of the different answers that you give for each different company. They don’t have to be hardcore, like 9jh^trfR4#ubnf, just different. So your mother’s maiden name is “Juniper Berries” for the bank, but “Jimson Weed” for the credit card company.
Security questions are so infrequently used, you might as well make it complex. If you’re not going to be able to remember either, you might as well make it something extremely difficult to guess.
“what is the name of your pet?”
*lists ex boyfriend’s nickname*
Already done. And remembering those answers is a pain at first but after more use they’re second nature.
I use LastPass and create a Secure Note for each of the accounts that requires security questions. Then I choose the first question and answer it with a random 20 character random answer. Good luck guessing that my high school mascot was a nSm37h3B587cdsT3q9Ss.
I don’t see how that would help, since my mother’s maiden name *is* unicorn princess. It’s a hippie thing.
a friend once answered the question “what is your mothers maiden name” with Patel and got into someone elses AMEX account.
I use answers stolen from known credit card thieves. They’re the last answers they ever expect.
With all the info that can be found online now some of these security questions aren’t that hard to figure out.
Some? Has anyone ever seen a pre-determined security question that was actually good?
Mother’s maiden name is the worst.
1) Since when is that secret information?
2) My mom didn’t change her name.
3) Why are you assuming everyone had a mom? There are single fathers and kids who don’t get adopted.
I have also run into the same problem TooManyHobbies and yggdriedi did: I’m not into sports and this one web site used sports for *all* of the available security questions. It’s a good idea to make up the answers but they force you to anyway.
You shouldn’t put real passwords in these question answer challenge boxes. Those most likely are not stored encrypted.
Not sure if this has been said or not, but my wife and I use a phase we both know. For instance, lets say your first born first steps were Jan 1, 2011. The phase you can use is “Jane’s First Step Was January 1, 2011. In this case the password is jfswjf2011!. You can use any phrase that is important, and or you both will remember.
“Where did you go to high school?”
Hogwarts.
“What is your mother’s maiden name?”
Everdeen
“What is your hometown?”
Fowl Manor, eastern Ireland.
Simple stuff.
Duh. You mean people haven’t been doing this all along? *facepalm*
Seriously, people. Think of them as passwords or passphrases, not factual information. You can make the answers anything you want them to be, even if it makes no sense whatsoever.
So my mother is a Unicorn Princess? I don’t think so…..
I just use the combination to my luggage… 123456
Combination luggage locks are no match for an ink pen.
And yes, that’s the combination to MY luggage too. Dammit!
But I just use the ink pen and never need the numbers.
20 years ago, my dad (who is NOT online) told me how he thought using your mother’s maiden name wasn’t very good security, and that he bumped it up the ancestral chain a couple of generations for a name to use that a thief wouldn’t guess.
Something to think about as you go through life: to whom do you owe the truth? Everyone else (which is nearly everyone) can just deal with crap you make up.
Any online form or security question will work just as well with a mother’s maiden name of macaroniancheese or Smith, but it’s not likely someone will social engineer the right answer. This kind of thing will stop them dead. Good stuff.
On my very first credit card the security answer to “Mother’s Maiden Name” was “I don’t know”. The idiot on the phone wrote that down and I was stuck with it until the bank was bought out.
One of my more recent answers was to the question “What is your favorite car”. I put down REO Flying Cloud. I saw one at a car show a long time ago.
Hide your secrets in plain site, and change it from time to time. I used to keep my codes on a label that covered the original label of a 78 rpm record hung in a frame on the wall. It’s a copy of Bing Crosby singing White Christmas. Maybe I’ll use the hubcap some time…
My secret questions are so secret, I don’t even know the answers, I simply press random keys on the keyboard without thinking.
So if a question like
What’s your mother’s maiden name? comes up, I will put something like
uyefgjdfghjfdhjfdhjuki
I feel that the security questions will be more secure if even I don’t know them and any account I ever made that asked it has always gotten a random answer.
My “security question”, if they let me write one, is usually “Why aren’t you looking up the password in your encrypted database?”. The answer tends to be a random string which is also saved, just in case something goes horribly wrong. (I’ve had systems accept a complex password only to then tell me it was invalid and have to reset it right away, more than a couple times.)
Whenever a birthday is requested, I give my sister’s. It’s easy to remember but it’s not mine.
never use your actual mother’s maiden name. ever! I can’t believe companies still offer this as one of the choices, but the former theif shows how it can be used properly I guess. still, they should do away with it.
I do like the “make up fake answers” idea, but it’s not without flaws. you have to make sure to remember the fake answers you gave, or else you could have a problem down the road.
another possible suggestion, if you have a problem remembering fake answers, is to use real answers, but use a different question for every bank account, credit card, investment account, retirement account, that you have. for example, your first grade teachers name for your 401k, and your first pet’s name for your savings account. use as many varied questions as possible that won’t be tracked in publically available sources. then that way if one company has a security breach and their database is compromised, you’re still safe.
I just answer them all the same for each institution. For one bank, my favorite color, sports team, and mother’s maiden name are all “Spiderman”. For another, my favorite food, first car, and maid of honor at my wedding are all “Lee Marvin”.
Not as secure as mixing them all up for each institution, but it’s easy for me to remember and hard for a potential hacker to figure out.
one of my secret questions i had a long time ago was:
secret question: “First job?”
Secret Answer: “blow”
Ok… changed all security question answers to “unicorn princess”
Now I am safe!
Wait, some of you actually use your real answers?
Been doing this for years. I used to always give random answers, but then I needed to know them a few years ago when I had an issue with a Credit Card. Now I have specific made up answers to 3 standard questions.
I know this may sound crazy but I have only 2 passwords I use online for all my financial stuff.
Yes, my passwords are secure & no I don’t include personal info in them.
The thing is that I only use 1 credit card with less than a thousand dollar limit & identity theft protection for all online purchases.
Paypal, Newegg, Bills, etc. All 1 card. None of my other financial life transpires online. None.