It’s Probably One of Your Security Questions
Alongside the model of your first car and your mother’s maiden name, your birthday is perhaps the most common security question asked on most websites.
Security questions are notoriously awful. They’re likely the cause of most social media “hacks” online, including the 2014 iCloud breach that affected many celebrities. The fault is in password recovery systems; they’re designed for you to be able to reset your password easily, but they often make it easy for hackers to do the same. Brute-forcing your password on a website isn’t really a thing anymore, and most “hacks” you may experience either rely on you being caught in massive data breaches or having terrible security questions.
Like your birthday. It’s a wonder that it’s even still an option for the already insecure “security question protection,” since it’s much easier for a hacker to find out your birthday than “the street you grew up on.” Since it’s also one of the simplest and easy to remember questions, it’s probably picked very often. That’s an issue because many people leave it publicly posted on their profile, or at least leave up a list of “Happy Birthday!” posts every year. In fact, people give away a lot of answers to security questions in the form of “quizzes” shared around Facebook. Another day, another hilarious attack vector.
Even if your birthday isn’t the answer to an actual security question on your account, it’s still information that a person can use when they try to obtain access to your account through other means—like calling your service provider and pretending to be you.
It Functions as Your Password Sometimes
When I upgraded to a new phone at a Verizon store, they asked me for two things: my phone number and my birthday. Nothing else. They then proceeded to switch my entire phone line over to a new device. That’s a problem because those two easily-accessible numbers present an obvious attack vector against two-factor authentication.
Two-factor authentication (often called 2FA) is when a service sends a code to your phone (or asks for a code generated by an app), and you must enter that code in addition to your password. It’s a great way to enhance security. It’s also used often for account recovery, as nobody should have access to a device in your pocket except you. But if someone can virtually steal your phone number just by knowing your birthday, it compromises any service that relies on it.
And it’s not just your phone that could be vulnerable, this problem of “birthday-as-password” is prevalent in a lot of places. How many times have you been asked your birthday to verify something? It makes sense, as everyone has a birthday, so it’s easy for people to remember. It’s also fairly secure, as the number of days in a 30-year timespan is already more than the 10,000 possible four-digit PIN combos. But people don’t pin their PIN to the top of their Facebook profiles.
RELATED: What To Do If You Lose Your Two-Factor Phone
It Helps People Guess Your Social Security Number
— Justin Pot (@jhpot) December 15, 2016
Heck, if you were born in the USA and have a social security number, people can use your birthday and place of birth to guess your social security number. Social security numbers were linked to birth location up until 2011 when randomization began, so everyone born before then has a more predictable social security number.
Your birthday isn’t the only dangerous thing to share; identity thieves can also make good use of details like your birthplace and mother’s maiden name. And it’s tough to avoid sharing these details online.