Known cases of harm from telling FB your initials and favorite color?
April 14, 2021 2:45 PM Subscribe
The internet loves little generative memes where you choose from the first column based on your favorite color, the second column based on your birth month, the third column based on your initials, and bam, that's your Wacky 80s Band Name or something. Every time one comes around, someone asserts that you're an utter fool if you participate, because it's basically asking to have your personal data stolen by evildoers. So...is it? Are there any known cases of responses to these memes being used for nefarious purposes?
Note that I am specifically talking about memes like this, that circulate as an image and that invite you to repost it with a comment like "LOL my 80s band name is Rambo and the Gnarly Mallrats."
I'm not talking about viral content that asks you to do much more egregiously risky things, like grant an app access to your entire Facebook account. I know that those exist and cause genuine harm.
Note that I am specifically talking about memes like this, that circulate as an image and that invite you to repost it with a comment like "LOL my 80s band name is Rambo and the Gnarly Mallrats."
I'm not talking about viral content that asks you to do much more egregiously risky things, like grant an app access to your entire Facebook account. I know that those exist and cause genuine harm.
Favorite color is a security questions I've been asked recently. While I have never been asked for my middle name, I've been asked for my parents or siblings middle names. So there may be some concern they are harvesting security data.
posted by phil at 3:49 PM on April 14, 2021
posted by phil at 3:49 PM on April 14, 2021
Response by poster: Yes, that is the concern people are voicing. What I'm wondering is, are there any known cases of these memes being used that way?
posted by nebulawindphone at 5:33 PM on April 14, 2021
posted by nebulawindphone at 5:33 PM on April 14, 2021
Best answer: It would be almost impossible to prove that information from a question meme was used in that manner unless the person who had abused the information were caught. These memes work effectively as a phishing campaign, but without any specific target and without necessarily providing useful information. It would also be made difficult to ever prove that information posted in response to these memes was used by bad actors because the person requesting the information is (presumably) not the person who would abuse the information. I can't imagine a situation where one could prove information from that specific a source was used to answer security questions.
Without the ability to actually answer your question the best I can offer is that I've had "first concert you attended" asked as a security question, so answering questions of favorite band would narrow down potential answers for security questions.
Part of how concerned you should be depends on how significant of a target you are; if Mark Zuckerberg posted publicly his first pet's make that's significantly different from the millionth Facebook user posting the same information. This doesn't help craft a response to people who will rain on your parade by insisting that telling people your favorite color is a security risk.
posted by I paid money to offer this... insight? at 6:01 PM on April 14, 2021 [2 favorites]
Without the ability to actually answer your question the best I can offer is that I've had "first concert you attended" asked as a security question, so answering questions of favorite band would narrow down potential answers for security questions.
Part of how concerned you should be depends on how significant of a target you are; if Mark Zuckerberg posted publicly his first pet's make that's significantly different from the millionth Facebook user posting the same information. This doesn't help craft a response to people who will rain on your parade by insisting that telling people your favorite color is a security risk.
posted by I paid money to offer this... insight? at 6:01 PM on April 14, 2021 [2 favorites]
Best answer: I've seen a lot of extraordinary claims about that sort of thing, generally by people that don't understand operational security or that are overly paranoid about it. As a related example, one of my security buddies was recently chastised by someone for giving away the state he lives in. He's the only person with his name, he owns property in his name - his entire address is a matter of public record for anyone that wants to find him. Mentioning the state he lives in isn't a problem.
Similarly, unless you're someone of extraordinary interest, as I paid money... pointed out, even if you did give away a security answer for your bank, the odds of someone caring enough to try to combine that with other information about you to turn it into something actionable is between slim and none. Obviously you should still not give away anything that you use for a knowledge based answer (and some password managers will let you use random values for those so they're completely unguessable).
That said, if you're doing this inside the Facebook (or similar) ecosystem, they will store pretty much everything you enter and try to use it at some point. So right now if the meme question is what was the first concert you went to and you say Billy Idol, they're probably not going to be able to connect the question to the answer but they might flag you as someone interested in Billy Idol. And 10-20 years down the line, AI might be smart enough to enrich that connection with the fact that it was your first concert.
And nefarious entities do go through and grab stuff off of social media sites, which can range from what happened with Parlor to the giant Facebook dataset that just leaked (but was known to have existed for years) to people scraping Clubhouse. The bad guys for the most part don't have automated tooling to build profiles of people off of those yet (unless you're of interest to say, the Chinese government) but they will.
posted by Candleman at 7:27 PM on April 14, 2021 [2 favorites]
Similarly, unless you're someone of extraordinary interest, as I paid money... pointed out, even if you did give away a security answer for your bank, the odds of someone caring enough to try to combine that with other information about you to turn it into something actionable is between slim and none. Obviously you should still not give away anything that you use for a knowledge based answer (and some password managers will let you use random values for those so they're completely unguessable).
That said, if you're doing this inside the Facebook (or similar) ecosystem, they will store pretty much everything you enter and try to use it at some point. So right now if the meme question is what was the first concert you went to and you say Billy Idol, they're probably not going to be able to connect the question to the answer but they might flag you as someone interested in Billy Idol. And 10-20 years down the line, AI might be smart enough to enrich that connection with the fact that it was your first concert.
And nefarious entities do go through and grab stuff off of social media sites, which can range from what happened with Parlor to the giant Facebook dataset that just leaked (but was known to have existed for years) to people scraping Clubhouse. The bad guys for the most part don't have automated tooling to build profiles of people off of those yet (unless you're of interest to say, the Chinese government) but they will.
posted by Candleman at 7:27 PM on April 14, 2021 [2 favorites]
One way of trying to crack passwords is to use combinations of words in a dictionary. Current technology can only use a restricted dictionary of maybe 15K words or so. The web sites described may be trying to figure out which words are most promising to include.
posted by SemiSalt at 6:31 AM on April 15, 2021
posted by SemiSalt at 6:31 AM on April 15, 2021
The famous case is "This is your Digital Life" facebook app collecting a whole bunch of info from participants and friends and then sharing that with Cambridge Analytica, which used it for political campaign targeting as well as other uses.
Supposedly this is no longer possible, at least to that extent, but of course there is no way for you to know for certain one way or the other - which is part of the problem.
posted by flug at 12:12 PM on April 15, 2021
Supposedly this is no longer possible, at least to that extent, but of course there is no way for you to know for certain one way or the other - which is part of the problem.
posted by flug at 12:12 PM on April 15, 2021
Current technology can only use a restricted dictionary of maybe 15K words or sofwiw, depending on what/how someone is trying to crack passwords or do credential stuffing, this is wrong by at least a couple of orders of magnitude, in some cases by much much more.
posted by russm at 5:29 AM on April 16, 2021
This thread is closed to new comments.
posted by raccoon409 at 2:57 PM on April 14, 2021 [3 favorites]