- Windscribe CEO warns social media quizzes can harvest data to bypass knowledge-based authentication
- The ‘funny’ prompts often mirror bank security questions perfectly
- Experts advise users to treat them like another password by lying
We’ve all seen them pop up on our feeds: “What’s your ’90s sitcom character?” or “Discover your stripper name!” But while these social media quizzes may seem like a bit of harmless fun, they actually act as a massive phishing net.
That’s the warning from Yegor Sak, the founder of one of the best VPN providers, Windscribe. According to Sak, these viral personality tests are carefully crafted to harvest the exact answers that financial institutions use to verify your identity.
By packaging standard bank security questions, such as your mother’s maiden name, your first pet or the street you grew up on, into a gamified social media post, the attackers trick users into voluntarily handing over the keys to their accounts.
The dangers of Facebook quizzes
The success of these quizzes comes down to psychology rather than advanced hacking techniques. The questions are cleverly disguised to disarm your natural skepticism.
“If a stranger walked up to you on the street and asked about your mother’s maiden name, your first pet and the street you grew up on, you would walk away,” Sak explained. “Turn the same questions into a ‘Which ’90s sitcom character are you?’ quiz, and people happily enter the answers into a database owned by someone they will never meet.”
Sak describes each completed quiz as “a credential reset form for a stranger.”
Asking for a mother’s maiden name puts people right on the defensive, but asking for a silly combination of a first pet and a childhood street is laughable.
“Same data. One feels like an interrogation. The other feels like a game. That gap is the entire attack surface,” Sak said.
This is not just a theoretical threat. Back in 2020, a major investigation by the UK’s Information Commissioner’s Office (ICO) confirmed that personality-style apps on social platforms were harvesting data from tens of thousands of users, many of whom had no idea their information was being collected.
“Most people have been quietly handing over the keys to their bank accounts for the better part of a decade,” Sak noted, “and they think they’re just having fun on Facebook.”
How to protect yourself (and why you should lie)
So how do you spot a trap? Sak says the danger lies in the type of information being requested.
“Any quiz that asks for a name plus a memory is a red flag,” he warned. “First pet, first car, first school, street you grew up on, mother’s maiden name, favorite teacher. If a quiz collects four or five of those in one round, it’s not a personality test. It’s a safety questionnaire with stickers on it.”
Because a leaked password can be changed in seconds, but the name of the street you grew up on cannot, Sak recommends a simple but drastic fix for knowledge-based authentication: lying.
If you’ve ever taken one of these quizzes, you should immediately update the security questions on your bank, email and brokerage accounts. Treat the answers as a secondary password by using random, fictitious answers.
“The data is gone,” Sak concluded. “The only thing left to do is change your security answers everywhere and stop using questions whose answers can be found on the Internet.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
