When it comes to account security questions, honesty may not be the best policy
An article review
The hacker who took down San Francisco’s MUNI system with ransomware earlier this month was himself taken down–by someone who simply guessed at the account security question for the email given in the ransom note. That’s the story reported on by TechCrunch and submitted to us by Joe Cychosz, and it gets better from there.
After locking down the email addresses used by the hacker, the anonymous Krebs on Security researcher responsible for the counter-hack also uncovered the Bitcoin wallets that they used to collect the ransom from previous attacks–attacks that apparently netted over $140,000 worth of the digital cryptocurrency.
While it is always nice to see a hacker receive justice, the article points out a few other things you can take away from this story: the importance of making frequent backups stored offline, and how important a good account security question can be.
According to the Krebs On Security source quoted in the piece if you’re presented with weak questions (such as your Mother’s maiden name or the town she grew up in) by a service provider, you should provide an unrelated answer so that it is much harder for an attacker to guess.
Original article by Taylor Hatmaker, writing for TechCrunch.