Many sites and services have implemented some form of secondary security questions that can be used to verify your identity if your account is compromised, or a backup email address to use in case there is an issue with the primary one. These things are intended to enhance and strengthen your protection, but the way most people use them these security measures actually become the weak link in the security chain that can lead to having data compromised or your identity stolen.
When you knock over one domino, the rest topple after it. Actually, when it comes to protecting your identity and sensitive data, maybe it’s more like Jenga than dominos. The vast majority of the “blocks” that make up your security might be just fine, but if an attacker finds that one keystone–the “block” that holds it all together–it can all come crashing down quickly.
I wrote about the security concerns related to how people use secondary security questions and two-factor authentication in this blog post:
Data breach after data breach has illustrated just how weak and ineffective passwords can be for protecting accounts and sensitive information. Many sites and services have implemented secondary security protocols and two-factor authentication, but users frequently use information and email accounts that can be easily compromised—giving attackers a simple way to access your information.
One common secondary protocol is to have users supply an alternate email address. Sites and services will use the primary email address 99 percent of the time, but if something happens with that email account, or additional verification is necessary to prove you are really you, a message will be sent to the alternate email address. That alternate email address is often a weak link attackers can exploit.
People frequently use a “throw-away” email account created specifically to use for verification to unlock an account. Securing that account is generally not a high priority, though, because it’s not being actively used for email. An attacker may be able to reset the password on that secondary email account, which will enable them to unlock access to your other accounts, and the dominos will start to fall.
Click here to read the complete article: Attackers use domino effect to compromise your accounts.
Do you use a generic webmail account as your backup email address, or real answers that can be easily researched for your secondary security questions? What do you think of the advice from these security experts? Share your thoughts in the comments.