There is an interesting concept growing in popularity on the Internet: dishonesty. Now, I am sure you will want to say to me, “But Daniel, I thought that everything on the Internet was the full and honest truth!” I am sorry to say that not everything on the Internet is true. And you can get in on the fun as well.
A common practise in Internet-based sites is to ask you as a user for semi-personal information to use as additonal authenticators to a system, especially in case you lose or forget your password to a site or service. The information you put into these fields is supposed to be something easy for you to remember and enter at a later date because it is about your real life. Here’s the rub: in this day and age of mass searchability and big data, you can get a lot of information about people through free and inexpensive (and unfortunately mostly legal) services on the Internet that might help someone nefarious learn the answers to such questions and get into your accounts.
Have a look at this one: http://thatsthem.com that I was shown a few weeks ago. Granted, not all the info is 100% accurate, but it does show enough to make you wonder. To be clear, I am not advocating or recommending that you should go trolling for people’s info, but rather that you should know what people can find out about you!
Now, I’m here to let you in on a dirty, little secret: the owners of that site, for the most part, will have no idea if you are really entering the name of your actual school you attended in first grade, or if it is a made-up one. Or if you favourite movie is really the fabulous 1989 smash hit starring Weird-Al Yankovic entitled “UHF” or if it is really the answer that no one would ever guess to be true (because it is likely no-one’s favourite movie) “Ishtar,” the 1987 crime against cinema that tortured you through every one of it’s 107 searingly painful on-screen minutes.
So what is my point in all this rambling? An approach to protecting yourself from search-based attacks on these semi-personal knowledge questions is to create an alternate persona for yourself and use that “life” to answer the questions. No search will ever be able to tell a bad guy that you attended the University of South Fiji, because you didn’t – they will enter your correct info, and because you used your alternate information when you registered, they will not get in.
Yes, this requires a level of memory of your alternate life, but as you continue to use them, you will be better able to remember the answer you put down, from birthday to favourite sports team, from school attended to first automobile. All real information is able to be located and tracked, but it is much more difficult to do so with fake info!
N.B. When using systems that actually do have and need your real information (especially your company’s HR and financial systems, the NHS, IRS/HRMC, Social Security Administration and others, please do use your real information for questions they ask you as either 1) they won’t give you the account at all or 2) they will come drag you off to prison for impersonating yourself (but doing it poorly because you apparently don’t know your own real birthday). Bottom line: use common sense.