Avoid answering security questions

"I now have a new understanding of how easily some users' accounts are compromised, how their identities are stolen, how their bank accounts have been emptied out, credit ratings ruined."

Irony.

My bank asked these same questions. Now, I am supposed to give the password-reset security answers for my bank to a random acne plauged employee at Apple?

I am shocked so few people comprehend the *real* security issue being discussed here. I am equally shocked that the standing answer is to just accept it an not bother thinking.

CapFan wrote:

Now, I am supposed to give the password-reset security answers for my bank to a random acne plauged employee at Apple?

Oh?

With posts like that, don't expect sympathy here.

Posts turning into personal attacks show how much yaysayers are covering up for this weak system. To add on, the more people probe these guys experiencing the issues the more the number of security flaws exposed.

Firstly, security questions are so Jurassic and prone to hijacks. Wonder how many old age systems are using them?

Secondly, from what I'm hearing, these questions are predetermined? Some are not even able to change them? So let it be, let the hijackers roll in - if an account's security back door is left open?

Why isn't Apple as the company with the world's highest capitalisation using new age security like 2-factory authentication???

I'm glad my bank is using this, Google is using this too and I'm beginning to kiss goodbye to "wuss the secret key phrase" kind of security.

CapFan wrote:

"I now have a new understanding of how easily some users' accounts are compromised, how their identities are stolen, how their bank accounts have been emptied out, credit ratings ruined."

Irony.

My bank asked these same questions. Now, I am supposed to give the password-reset security answers for my bank to a random acne plagued employee at Apple?

I am shocked so few people comprehend the *real* security issue being discussed here. I am equally shocked that the standing answer is to just accept it an not bother thinking.

As has been stated here already you are not required to use the "same" questions as your bank, or even answers. You can create your own. The answers themselves don't have to be the correct ones either. In fact more security conscious users intentionally input screwy answers (that make sense to themselves only) to normal questions to enhance the security.

But the bottom line is as it has always been. Comply or leave. All the arguing and castigating in the world won't change that. Online security is changing rapidly. In a short time almost all web sites that store personal information will be doing this or something similar. Banks and credit cards companies have been doing this for several years now. iTunes is just following the trend.

Nice.

You do know he said you can creat your own answers. They can be fake.

DcBEARcD wrote:

lkrupp wrote:

You can create your own.

No you can't this is one of the reasons that this is a bad policy that doesn't enhance security. Each of the three quesitons has only 5 choices.

lkrupp wrote:

But the bottom line is as it has always been. Comply or leave.

I hear your chest pounding. Do you work for Apple?

Well, I have the option to create my own questions for my account. So yes I can.

I will submit to the new requirement... But not happy about it. I'll have to make up nonsense answers, and be sitting in front of my Mac so I can type in the questions and answers in to mSecure (my favorite password manager which I have on Mac, pc, iPad, and iPhone).

tyler39 wrote:

You do know he said you can creat your own answers. They can be fake.

For some reason, he thinks adding his own answers is "proof that the policy does not work".

So don't use the same answer for every question.

DcBEARcD wrote:

Chris CA wrote:

tyler39 wrote:

You do know he said you can creat your own answers. They can be fake.

For some reason, he thinks adding his own answers is "proof that the policy does not work".

Perhaps I wasn't clear

what I meant to say and maintain is if I'm allowed to use the same answer for all the questions the policy doesn't improve security

It won't improve security if you tell the world that you're using the same answer. Perhaps you're unaware but all security mechanisms depends on you keeping your mouth shut.

Philly_Phan wrote:

It won't improve security if you tell the world that you're using the same answer. Perhaps you're unaware but all security mechanisms depends on you keeping your mouth shut.

True for 2 factor authentication as a security solution? That's more like safekeeping of the device. I don't know why is it so difficult for Apple to implement such a security solution.

A 2-factor device that generates the code from the algorithm can come in virtual forms like apps or even a physical device. That's real security people are using in offices, rather than falling back on security questions.