Is there a way to answer security questions privately while in public?

Question

Is there a strategy for answering security questions via telephone modestly securely while in an insecure environment? For example: I am at a coffee shop and am locked out of my account, I call the helpdesk to unlock and they ask for my userID, DOB, and last4 of social. I would like to protect all of that information so that no one listening could catch it.

For instance, I imagine a system where the technician says, is the month Jan, I say no, then ask, is it Feb, I say no, then is it Mar, I say yes... and so forth until we confirm all the secrets. This is really the only method I can think of short of a situation where the technician plays a game of 'is this your card'. There are drawbacks to both of these methods and so I'm wondering if there are better ones?

Also is this threat even real and/or is it worth securing against?

While it may be inconvenient I would be inclined to wait until somewhere less public... — R15, Oct 08 '16 at 16:01

score 2 · Answer 1 · answered Oct 07 '16 at 23:11

You could standardize on all secret questions being number based. Then, when the questions are asked, they could include a bit on the end to add or subtract some.

So for instance, the questions would be:

What is the last four of your social security number plus 11? What is the street number of the house you grew up in, minus 2? What is your birth year plus 13?

Anyone hearing the answers would hear only the numbers, without knowing the actual questions. Each time the questions are asked, the numbers on the end could be randomized by the caller, so they would be different every time. (For instance, the next time, the questions would be, "What is the last four of your social security number minus 7?, etc.")

I like this however how would I communicate to the technician the scheme we would be using? — Matthew Peters, Oct 07 '16 at 23:47

score 1 · Answer 2 · answered Oct 08 '16 at 09:46

Totally a real threat.

Use a headset and cup your hand around the mike and your mouth, turn away from people - speak quietly. That is plenty good enough unless there is someone right next to you or someone with a sniper mike!

The background noise of a public place makes it really hard to listen to something quietly spoken and nigh-on impossible to record without serious pro kit.

A decent headset will have noise cancelling and coupled with the ear pieces both you and the other person will easily hear each other even when you speak quietly. By decent, I mean something like a Plantronics binaural headset with noise cancelling. Something you might want anyway if you spend a lot of time working in noisy places.

As mentioned by others, using a 2FA solution is better still with your mobile as something you have.

score 0 · Answer 3 · edited Oct 07 '16 at 21:55

I know this probably doesn't directly answer your question, but I think this is one of the reasons that Out of Band verification is becoming popular. Security Questions are a bit insecure since they can be social engineered.

More to your point, text input could definitely help. Most phones support touch tone, and I'd imagine if you're investigating a solution for a company this could be one solution. Instead of Saying March 1st, you could enter 03#01#. Same for an SSN. You may also investigate having a chat application for sensitive input, but than I guess it defeats the purpose of a call.

I think it is something worth securing against. Though if you're in a coffee shop, on what is likely unsecure WiFi, you have other issues to be concerned with as well.

Right. In my particular case, the touchtone wasnt possible... Also interestingly enough it was the use of my VPN that triggered the lockout (IE my ip changed from the usual one). — Matthew Peters, Oct 07 '16 at 21:56

Is there a way to answer security questions privately while in public?

3 Answers3