|
 ABSTRACT
Security questions (or challenge questions) are commonly used to authenticate users who have lost their passwords. We examined the password retrieval mechanisms for a number of personal banking websites, and found that many of them rely in part on security questions with serious usability and security weaknesses. We discuss patterns in the security questions we observed. We argue that today's personal security questions owe their strength to the hardness of an information-retrieval problem. However, as personal information becomes ubiquitously available online, the hardness of this problem, and security provided by such questions, will likely diminish over time. We supplement our survey of bank security questions with a small user study that supplies some context for how such questions are used in practice.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Maltego. Available online: http://www.paterva.com/maltego/.
|
| |
2
|
F. Asgharpour and M. Jakobsson. Adaptive Challenge Questions Algorithm in Password Reset/Recovery. In First International Workshop on Security for Spontaneous Interaction: IWISSI '07, September 2007.
|
| |
3
|
J. Chao. Trend in canine names reflects the times. San Francisco Examiner, page B1, Oct 12 1997.
|
| |
4
|
Facebook. Statistics. http://www.facebook.com/press/info.php?statistics.
|
| |
5
|
A. Felt and D. Evans. Privacy Protection for Social Networking Platforms. In Web 2.0 Security and Privacy 2008, May 2008.
|
 |
6
|
|
| |
7
|
L. Frieder and J. Zittrain. Spam Works: Evidence from Stock Touts and Corresponding Market Activity. Berkman Center Research Publication, 2006.
|
| |
8
|
|
| |
9
|
V. Griffith and M. Jakobsson. Messin' with Texas: Deriving mothers maiden names using public records. In Applied Cryptography and Network Security (ACNS). Springer, 2005.
|
| |
10
|
|
| |
11
|
|
| |
12
|
|
| |
13
|
M. Mannan and P. van Oorschot. Security and usability: The gap in real-world online banking. In New Security Paradigms Workshop (NSPW'07), September 2007.
|
| |
14
|
NYC Department of Health. "Health Department Announces Most Popular Dog Names and Breeds of 2005". Available online: http://www.nyc.gov/html/doh/html/pr2006/pr122-06.shtml, December 27 2006.
|
| |
15
|
Office of the Privacy Commissioner of Canada. "Guidelines for Identification and Authentication". Available Online. http://www.privcom.gc.ca/information/guide/auth_061013_e.asp, October 2006.
|
| |
16
|
L. O'Gorman, A. Bagga, and J. Bentley. Call Center Customer Verification by Query-Directed Passwords. In Financial Cryptography: 8th International Conference, FC 2004, Key West, FL, USA, February 9--12, 2004: Revised Papers. Springer, 2004.
|
| |
17
|
L. Saad. Lincoln Resumes Position as Americans' Top-Rated President. Available online: http://www.gallup.com/poll/26608/Lincoln-Resumes-Position-Americans-TopRated-President.aspx, February 19 2007.
|
| |
18
|
Social Security Administration. "Identity Theft and Your Social Security Number". SSA Publication No. 05-10064. Available online: http://www.socialsecurity.gov/pubs/10064.html, October 2007.
|
| |
19
|
Social Security Administration. RSA Identity Verification. Available online. http://www.rsa.com/node.aspx?id=3347, 2008.
|
| |
20
|
Social Security Administration. The SSN Numbering Scheme. Available online. http://www.socialsecurity.gov/history/ssn/geocard.html, Not Dated.
|
CITED BY 6
|
|
|
|
|
|
|
|
Stuart Schechter , Serge Egelman , Robert W. Reeder, It's not what you know, but who you know: a social approach to last-resort authentication, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA
|
|
|
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
K.4