Many websites and apps ask security questions when you register for the first time. Then they use the answers you provide to verify your identity whenever you request to change a lost password. But cyberattackers often find ways around security questions.

How do they unwind your secret answers and access your account? How do they bypass these questions to hack your profiles?

1. Social Media Scams

Social media apps on a phone screen

One negative aspect of social media is that it's hard to tell who's real. It's not atypical of cybercriminals to use it to deceive victims into revealing their answers to security questions.

A common way hackers achieve this is they show up as friends or followers of their victims on social media platforms like Facebook, LinkedIn, Instagram, or Twitter. Using forms of psychosocial manipulation, they trick a victim into trusting them. This is another level of social engineering.

Once a cyberattacker becomes friends with their target on social media, they put up chats with the victim and divulge fake information about themselves first to appear trustworthy. In what looks more like one of those dating app scams, they engage in conversations about the victim's interests and likes.

Sometimes, the attacker might pretend to share the same interests, hobbies, and likes with a victim, who might end up sharing secret information unknowingly—which, of course, is likely to include answers to security questions. This might range from those they use to access workplace resources to those used for online shopping or other sensitive online transactions.

2. Phishing

Veiled face on a laptop screen with code

Phishing and social engineering go hand-in-hand. Phishing happens when the hacker presents themselves as someone different, i.e. a false persona. For instance, an attacker might tell you in a call, SMS, or email that they represent the company that holds one of your profiles.

They might ask you to answer some questions within a particular timeframe to beef up your security. Or they might even send you a link to an online form—mostly, a fake replica of the original website you've got a profile with. There are even cases when hackers ask their victims to fill out Google Forms or any online questionnaire in the pretense that they're conducting research.

Hackers often use this technique to exploit less security-savvy individuals. Of course, once they get the required information, it becomes easy to bypass security questions and gain unrestricted control of the target's account.

3. Information From Your Online Profiles

Social media icons with background pictures

While security questions are supposed to be private and known only to you, you've probably left a lot of clues to their answers all over the internet. A hacker can easily decipher answers to your security questions if you often leave sensitive information about yourself on your social media profiles.

This technique usually involves the hacker conducting intensive research into your details online. To achieve this, they search you out on search engines like Google and check your social media handles, including LinkedIn, Facebook, Twitter, Instagram, and more, for as many hints as they can grab.

That time you answered a joke question on Facebook pairing your mother's maiden name with the name of your first pet? That's really useful to cybercriminals.

At this point, the attacker goes back to the security questions to answer them based on information they gather from your public profiles.

4. Brute-Forcing

Hand breaking through a laptop screen with gun

Although hackers typically use brute-force attacks to crack passwords, there's little to stop them from doing the same with security questions. While manual brute-forcing takes time and patience to achieve, modern brute-forcing algorithms simplify the process.

Moreover, while cracking security questions, a cyberattacker only needs to focus on word combinations rather than character manipulation as done with passwords. This makes security questions less arduous to crack since it's easy to make meaningful entries by combining different words.

Besides, once the hacker knows what questions a website asks, all they need to do is brute-force all possible answers specific to a victim. You might think this is more difficult for the hacker if the website only allows users to generate their questions. Unfortunately, that's far from the truth, as user-generated questions are often less secure. Hence, the answers are likely easier to guess.

How to Stay Safe

So you've seen how cyberattackers can bypass your security questions and access your account. But how can you stay safe online? Here are a few points that can help.

1. Use Two-Factor Authentication

While hackers can bypass two-factor authentication, it's often more technical to crack than security questions. Moreover, combining it with security questions further strengthens your account. Such a security protocol merger leaves an attacker with trickier puzzles to solve. In such cases, they tend to give up before long.

You're in the luck if your service provider supports both methods. But if not, there are many third-party two-factor authentication providers out there.

2. Avoid Using Generic Questions and Answers

Many security questions are easy to guess because victims often provide generic answers. It becomes worse when a website or an app allows users to generate their own security questions.

Answers to questions like your hobby, favorite color, pet, movie, music, or food are comparatively easy to guess. So you might want to avoid them. And for more specific questions like your mother's maiden name and so on, you can also try to provide more unique answers; for example, these don't even need to be the correct ones, but instead something you associate them with.

If you're likely to forget what answers you provided for a particular question because it's unique, you can outline them in an encrypted note app to look them up whenever you need them.

3. Remove Sensitive Information From Your Profiles

Personal information on your social media and other online profiles can give clues to your security answers. It's often best to remove such salient details from your profiles to check a security question breach. Ultimately, what good comes from answering the joke round-robins on Facebook, Twitter, and the ilk?

Protect Your Information Online

Like two-factor authentication, security questions add another layer of protection to your profiles online. Some services require security questions before they provide a password reset link. And for some, they do so after you've reset your password. All these aim to secure your accounts further.

Whatever the case, second layer shields like security questions are what hackers often face while trying to access your account. Besides, how we use the internet influences the power of security questions.