Ask HN? What's the right balance of security on Q&A-type password reset systems?

1 point

14 years ago

This question is inspired from Gizmodo's recap of the Mat Honan hacking incident: http://gizmodo.com/5931931/hackers-got-into-honans-icloud-account-with-deception-no-password-required

Particularly this point:

> If the hackers didn't answer the security questions, but merely managed to socially engineer their way around the questions with other bits of personal information, that lays a bit of the blame — a lot of it — in Apples lap

I don't think I need to recap the frequent HN posts that decry how hard it is to get a human to fix an automated customer service screwup. I don't have any experience working customer service but I have a feeling that there a good segment of users, especially of the just-off-the-AOL boat, who regularly forget what they put in their security questions. For example, I'm sure for the "what was your first car" question, people do things like "Camry", "Toyota Camry" or "96 Toyota Camry". All of those answers would be considered wrong if one character was out of place (and I'm being generous in assuming that all Q&A systems strip white space and are case insensitive) by a computer, but a human operator could resolve this.

But how much leeway should a human operator give? If the person entered "96 Toyota Camry" but misses by one year the 1996 part, does she deserve to be locked out? What if she got all the other questions right, including SSN? Yet in that case, that still leaves a sizable hole for social engineering.

I guess in Apples case, they can institute an in-person auentication system, thanks to the ubiquity of their service and retail centers. But this is not feasible for most other services. So what's the line or the solution here?