Asking smarter security questions
RUTGERS (US)—The trouble with most online security questions is that they’re not very secure, according to Danfeng Yao.
Yao, assistant professor of computer science at Rutgers, thinks the answer is to ask more dynamic questions.
“We call them activity-based personal questions,” says Yao.”Sites could ask you, ‘When was the last time you sent an e-mail?’ Or, ‘What did you do yesterday at noon?'”
Yao and her students have been testing how resistant these activity questions are to “attack,”—computer security lingo for when an intruder answers correctly and gains access to personal information such as e-mails or to do online shopping or banking.
Early studies suggest that questions about recent activities are easy for legitimate users to answer but harder for potential intruders to find or guess, Yao explains.
“We want the question to be dynamic. The questions you get today will be different from the ones you would get tomorrow.”
Yao says she gave four students in her lab a list of questions related to network activities, physical activities and opinion questions, and then told them to “attack” each other.
“We found that questions related to time are more robust than others. Many guessed the answer to the question, ‘Who was the last person you sent e-mail to?’ But fewer were able to guess, ‘What time did you send your last e-mail?'”
Yao explains that it should not be difficult for an online service provider to formulate these kinds of security questions by looking at its users’ e-mail, calendar activities, or previous transactions.
Computers would have to use natural language processing tools to synthesize understandable questions and analyze the answers for accuracy.
The study’s preliminary results were presented at a workshop at the Association for Computing Machinery Conference on Computer and Communications Security in Chicago.
Yao is proposing further studies to determine the practicality of the new approach and the best way to implement it.
The work was funded in part by grants from the National Science Foundation.
Rutgers news: http://news.rutgers.edu/medrel/