- Windscribe CEO Warns Social Media Quizzes May Collect Data to Bypass Knowledge-Based Authentication
- The “fun” prompts often mirror banking security questions perfectly.
- Experts advise users to treat them as a second lying password
We’ve all seen them pop up in our feeds: “What’s your ’90s sitcom character?” or “Find out your stripper name!” But while these social media quizzes may seem a bit fun and harmless, they actually act like a massive phishing network.
That’s the warning from Yegor Sak, founder of one of the best VPN providers, Windscribe. According to Sak, these viral personality tests are carefully designed to get the exact answers that financial institutions use to verify your identity.
By including standard banking security questions, such as your mother’s maiden name, your first pet, or the street you grew up on, in a gamified social media post, attackers trick users into voluntarily handing over their account keys.
The dangers of Facebook quizzes
The success of these quizzes is due to psychology rather than advanced hacking techniques. The questions are cleverly disguised to disarm your natural skepticism.
“If a stranger approached you on the street and asked you your mother’s maiden name, your first pet, and the street you grew up on, you would walk away,” Sak explained. “It wraps those same questions into ‘What ’90s sitcom character are you?’ questionnaire, and people happily type the answers into a database owned by someone they will never meet.
Sak describes each completed questionnaire as “a credential reset form for a stranger.”
Asking a mother’s maiden name directly puts people on the defensive, but asking for a silly combination of a first pet and childhood street provokes laughter.
“Same data. One feels like an interrogation. The other feels like a game. That gap is the entire attack surface,” Sak said.
This is not just a theoretical threat. In 2020, a major investigation by the UK’s Information Commissioner’s Office (ICO) confirmed that personality styling apps on social platforms were collecting data from tens of millions of users, many of whom had no idea their information was being collected.
“Most people have been quietly handing over the keys to their bank accounts for the better part of a decade,” Sak noted, “and think they’re just having fun on Facebook.”
How to protect yourself (and why you should lie)
So how do you detect a trap? Sak says the danger lies in the type of information requested.
“Any test that asks for a name plus a memory is a red flag,” he warned. “The first pet, the first car, the first school, the street you grew up on, your mother’s maiden name, your favorite teacher. If a quiz collects four or five of them in a round, it’s not a personality test. It’s a safety sticker quiz.”
Because a leaked password can be changed in seconds but the name of the street you grew up on cannot, Sak recommends a simple but drastic solution to knowledge-based authentication: lying.
If you have ever completed one of these questionnaires, you should immediately update the security questions in your bank, email, and brokerage accounts. Treat responses as a secondary password using random dummy responses.
“The data no longer exists,” Sak concluded. “The only thing left to do is change your security answers everywhere and stop using questions whose answers exist on the Internet.”
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
