Over the past few days a viral "survey" type post has been circulating around Facebook in which people share the names of 10 concerts - 9 that they have attended and one that they did not - and their Facebook friends attempt to guess which is the one that they never attended. Eventually, in the comments, the original poster reveals which concert is "the lie."
These posts sound like innocuous fun - but they are not.
In fact, some such posts - including the recent one about concerts - may be started or circulated by criminals.
Despite recommendations from information security experts, many businesses - including various financial institutions - use challenge questions to authenticate people. We have all been asked: "What is your mother's maiden name?," "What color was your first car," and/or "What was the name of the first school you attended?" Of course, these types of questions are not ideal for authentication because the answers can often be found in seconds by performing an online search, and, even when that is not the case, the answers are, technically speaking, nothing more than extremely weak passwords for which big hints are given when asking for them. How many times would a criminal be correct if he guessed the maiden name "Smith," the color "Red," or the school "Thomas Jefferson?"
It turns out that some businesses also use a question (perhaps automatically generated in some security package that they utilize) to the tune of "What was the first concert that you attended?" Obviously, providing a list to the world of 9 concerts that one has attended can, in many cases, greatly help criminals trying to answer that question.
But, the problem is even larger.
From the concert list, the answer to the questions "What is your favorite band" and "What is your favorite type of music?" might also be obvious, as may the answers to many other questions. In fact, from a list of concerts that you attended, it is possible to extrapolate all sorts of other information that can also be used to either social engineer you, or trick others into believing that someone else is you. Did you list "Simon and Garfunkel's Concert in Central Park?" - anyone reading that list knows you were of age to attend a concert in 1981. Concerts by Selena Gomez and Justin Bieber? We can guess your approximate age as well. A list of nine concerts that you attended and one that you did not (after you clarify which it is in the comments back to your friends), can give strong clues about not only your age, but also where you have lived, your taste in music, your political leanings, your religion, and your socioeconomic background. Do you really want the whole world - including criminals - to have this information?
Remember, because so many breached passwords are reused between sites, and because so many sites have password compromises, sometimes challenge answers are all that stand between a criminal and access to someone's money.
Here is the bottom line: It is best not to participate in viral surveys on social media. If you feel you must, be sure to set the privacy permissions to "Friends Only" or stricter (including for viewability of comments).
(Full disclosure:SecureMySocial, of which I am the CEO, offers technology that warns people if they are oversharing information on social media, and can issue warnings about the 9 concerts post and other viral surveys.)