It seemed like an innocuous question: What’s your favorite pet’s name?
Posed to me by the Internet provider I use to access the Web, I quickly answered the query when I set up my account years ago. I named the dog. Other than worrying that my two cats might be offended, I never thought about it again.
It wasn’t until I met Jonathan Weber, a junior at East Stroudsburg University studying computer security, that I realized I had opened the door for my identity to be stolen.
Weber, owner of Marathon Studios Inc. — a company that develops interactive websites and Internet applications — explained I had made a common mistake that could allow a hacker to hijack my account.
I had chosen a far too common answer to the security question my provider asks any time I forget my password.
He was about to show me how much trouble that could cause.
Sitting at a computer in his office at the university, Weber attempted to log into my email account of a popular service provider.
Weber already had obtained my email address on his own (I’ll explain more about that later). When queried for my password, he hit a random set of letters. The provider, of course, said he had entered the wrong password. When he did it again, it repeated the message, and offered him the opportunity to change the password.
In an attempt to protect me, the provider had, years ago, asked me to set up a security question I must answer correctly in order for me to change the password.
It popped up on the screen: “What’s your favorite pet’s name?”
Weber doesn’t know me at all, so that’s not information he would readily have. But I quickly learned, it wouldn’t take much for him to take a very educated guess.
All he had to do was visit my Facebook page.
Pet photos revealing
“People love to post pictures of their pets on their Facebook page,” Weber explained.
I’m no exception. My Facebook page was semi-private, so he could not see everything. But he could see all my photos, which, at the time, I did not restrict access to (that’s now changed).
If he went to my photo page, he would see lots of pictures of my furry little friend, some of which had her name attached. If he was an identity thief, he would have just hit the jackpot.
Without my knowledge, he could have accessed my email — and all the information it contained, including sensitive financial details in emails from my bank and other accounts, such as Paypal.
Next he could have changed the password and security question, meaning I’d be locked out of the account, leaving him free to contact all my other accounts and attempt to change those passwords as well.
That likely wouldn’t be too hard, he said.
“I guarantee you, your password for a lot of things is the same, or some variation of the same,” Weber said. “Once I have your email account, everything else comes down like a house of cards.”
I felt like an idiot. My only solace came in learning I’m not the only one out there who failed woefully in properly securing my account. I had some pretty notable company, Weber said, including Sarah Palin, the former governor of Alaska and vice presidential candidate.
Palin’s email was hacked a few years ago, Weber said, because someone figured out her dog’s name. She, like I, had used that information as her security question, he said.
Your pet’s name, mother’s maiden name and anniversary date are among some of the most popular security questions sites ask to confirm your identity. That type of information is public information that, with only a moderate amount of knowledge, can be obtained by a hacker.
In my case, this wasn’t even “hacking,” as Weber didn’t need to input any type of computer code to access my computer. All he needed was my name and email address, which he obtained through a Google search using a relatively unsophisticated computer search tactics.
Weber explained he got my email by taking advantage of a security flaw in a program run by the Pennsylvania Department of Transportation.
Years ago, I had signed up for email and text alerts of road closings and delays. I had filled out a form, via the Internet, that listed my email address and cellphone number. Weber was able to access that form, as well as the forms of thousands of others, because PennDOT failed to employ security features that would ensure it did not become public.
I plan to contact PennDOT officials to advise them of the issue.
In the interim, I’ve taken several steps to shore up my online security.
I immediately changed my security question for my email. It’s unique enough that you wouldn’t be able to figure it out by looking at my Facebook page.
I’ve also removed all personal information from my profile on Facebook and set the privacy settings to the highest level available. Now only my Facebook friends can see my photos.
I’m also taking time to review my passwords and security questions for all my accounts to ensure they’re sufficiently obscure.
I’m sure I won’t be perfect, but Weber advises people, they don’t need to be.
“You don’t need to have Department of Justice security level. The only thing you need is to be more secure than 90 percent of people,” Weber said.
“As long as you know a little about protecting yourself, someone who is looking for a target is going to pass over you and go to someone else who is easier.”
If you don’t want that to be you, take some simple steps to help protect yourself, Weber said.
Don’t use common information, such as your birth date, in creating a password. Equally important, make sure your security question is something only you could know.
“Your password can be as long and complicated as you want, but it’s irrelevant if all it takes is your pet’s name to reset it,” Weber said.