- Windscribe CEO warns that social media quizzes can harvest data to bypass knowledge-based authentication
- “Fun” prompts often perfectly reflect bank security issues.
- Experts advise users to treat them as a second password by lying
We’ve all seen them pop up on our feeds: “What’s your ’90s sitcom character?” or “Find out your stripper name!” But even though these social media quizzes may seem fun and harmless, they actually act like a huge phishing ring.
That’s the warning from Yegor Sak, founder of one of the best VPN providers, Windscribe. According to Sak, these viral personality tests are carefully designed to harvest the exact answers that financial institutions use to verify your identity.
By embedding standard banking security questions, like your mother’s maiden name, your first pet, or the street you grew up on, into a gamified social media post, attackers trick users into voluntarily handing over the keys to their accounts.
The dangers of Facebook quizzes
The success of these quizzes depends on psychology rather than advanced hacking techniques. The questions are cleverly disguised to disarm your natural skepticism.
“If a stranger came up to you on the street and asked your mother’s maiden name, your first pet and the street you grew up on, you would walk away,” Sak said. “Wrap those same questions into a ‘Which 90s sitcom character are you?’ quizzes, and people happily type the answers into a database owned by someone they’ll never meet.
Sak describes each completed quiz as “a credential reset form for a stranger.”
Asking a mother’s maiden name directly puts people on the defensive, but asking a silly combination of a first pet and a childhood street gets a laugh.
“Same data. One looks like an interrogation. The other looks like a game. This gap is the entire attack surface,” Sak said.
This is not just a theoretical threat. In 2020, a major investigation by the UK’s Information Commissioner’s Office (ICO) confirmed that personality-style apps on social platforms were harvesting the data of tens of millions of users, many of whom were unaware their information was being collected.
“Most people have been quietly handing over the keys to their bank account for almost a decade,” Sak noted, “and they think they’re just having fun on Facebook.”
How to Protect Yourself (And Why You Should Lie)
So how do you spot a trap? Sak says the danger lies in the type of information requested.
“Any quiz asking for a name and memory is a red flag,” he warned. “First pet, first car, first school, the street you grew up on, your mother’s maiden name, your favorite teacher. If a quiz puts four or five of these in one round, it’s not a personality test. It’s a safety quiz with stickers on it.”
Because a leaked password can be changed in seconds, but not the name of the street you grew up on, Sak recommends a simple but drastic solution to knowledge-based authentication: lying.
If you have already taken any of these quizzes, you should immediately update the security questions on your banking, email, and brokerage accounts. Treat the answers like a secondary password by using random, fake answers.
“The data is gone,” Sak concluded. “The only thing left for you to do is change your security answers everywhere and stop using questions whose answers exist on the Internet.”
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
