The security mechanisms used to protect online accounts are inherently flawed, according to a new paper by researchers at Cambridge and Edinburgh universities.
Joseph Bonneau, Mike Just and Greg Matthews argue in a paper entitled What's in a name? (PDF) that security questions used to verify an account can often be beaten by simple guesswork or through some personal knowledge of the account holder.
"Despite their ubiquity, personal knowledge questions have received relatively little attention from the security community until recently," the paper said.
"User studies have demonstrated the ability of friends, family and acquaintances to guess answers correctly, while other research has found that some questions used have a tiny set of possible answers.
"Many common questions have also been shown to have answers readily available in public databases or online social networks."
The researchers looked at the type of security questions asked using data from a range of online service providers, including banks and financial institutions, as well as webmail services such as Hotmail, Gmail and Yahoo Mail.
One in three asked for a person's name, and one in five asked for a place name. The researchers said that, when faced with these questions and given three guesses, an attacker can compromise roughly one in 80 accounts.
The use of names is unwise because it is possible to identify and focus on the most common names in any given location. The name Smith is popular in the Western world, for example, while Kim is very common in Korea.
"Given names are a matter of fashion and vary in several interesting dimensions. In the countries studied, female names seem to provide slightly higher resistance to guessing than male names," said the paper.
"The diversity of forenames has been increasing slowly but steadily over the past six decades in the US. Curiously, pet names are slightly harder to guess than human names."
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software