Episode 2 : Dr. Evil, Quiz Master

I’ve been working on a new online quiz that will let me guess your favorite brand of headlight fluid.  It’s just a few questions, it’s easy, and you’ll love it. 

Question 1: What is your mother’s maiden name?

Question 2: What hospital were you born in?

Question 3: What is your social security #?

With answers to those 3 simple questions, I can accurately predict that you just love using Brando’s Headlight Fluid.  And rightly so, it is the only brand used by true headlight aficionados.

But wait, you say, I thought I wasn’t supposed to give out my social security #.  Well, you’d be right.  That’s a really bad thing to give out.  Mother’s maiden name, hospital of birth, those are OK, right?  No, definitely not.  Absolutely not, no, no, NO!

You see, routine queries for personal bits of information might seem familiar to you.  These little pearls of personal stuff are often the answers to all the secret questions you created so you can reset your password.  This quiz, and heck, very few of them ever, were meant to provide you with amusement.  They exist only to get you to willingly give up exactly the information needed to hack your accounts.

Some are really nefarious.  All those “Only people from Timbuktwo will know these facts” are just looking for information on you.  Yeah, we often use hometown things as secret questions and answers.  When someone comments on the post, they might mention “Dirty Pig’s Foot was my absolute favorite restaurant growing up” and readily volunteer something it didn’t even ask for.  I’ve seen another that wants to guess your first car, because that’s a regular security question!  And the kicker is it doesn’t even need to guess correctly, many people will comment it was nowhere close, and then write in what their first car was.  That’s some Bugs Bunny level social engineering right there.

All those seemingly silly quizzes where you can find out your fantasy hand model name … they want your birth date, street you grew up on, first pet’s name, best use of a bob haircut, etc.  They all just gather a nice little bundle of information on everyone who uses them.

What can someone do with this?  Pretty simple, go to any kind of service that has a password reset function (especially one that doesn’t send you an automated link or have 2 factor authentication), look at the security questions that come up and see if those answers were already provided somewhere, enter them, reset the password and boom, that person now has your account.

Best thing to do when you see some online quiz? Ignore them.  Simply ignore them.  Maybe they’ll eventually go away and stop plaguing us all.