Michael Kaiser, executive director of the National Cyber Security Alliance, said on Friday that the meme posed a moderate security risk, adding that not every website relied on a security question about a person’s first concert.
He said the greater danger is what such a list might broadly reveal through social engineering. It could telegraph information about a user’s age, musical tastes and even religious affiliation — all of which would be desirable to marketers hoping to target ads.
He said it is similar to users who take quizzes on Facebook. The answers can reveal specifics about a person’s upbringing, culture or other identifying details. “You are expressing things about you, maybe in more subtle ways than you might think,” he said.
Mark Testoni, a national security and privacy expert who is chief executive of SAP National Security Services, said in an email that he recommended exercising “vigilance bordering on a little paranoia” in online posts.
“We need to understand how we interact can disclose not only specific details but patterns of behavior and often our location, among other things,” he wrote.
Alec Muffett, a software engineer and security researcher, wrote in an email that he is sympathetic to polls like the concert question. “They are cute, a little bit fun, you learn new things about your friends, and sometimes you get a surprise or two,” he wrote.
“There are certainly also polls that are geared towards collecting information which could be used to fraudulently ‘recover’ an account,” he added.
He said companies, governments and other groups rely on so-called authenticators, such as “What is your mother’s maiden name?” Such answers are not truly authenticators, but are facts.
“The usual aphorism is: ‘Your password should be secret, but ‘secrets’…