Do you know the answers to your security questions?

I decided to be intentional about my strengthening my password security and started utilizing the data available to me in my password manager that enables me to see the health of the passwords that I use.  The LastPass security challenge enables me to see if my passwords are known to be compromised or weak based on strong password standards.  It also shows me reused or shared passwords and finds old passwords that need to be changed.  If provides a prioritized list, based on risk, of sites that I need to focus on to update passwords.

My Apple account was the last password on my list of “compromised” passwords to update.   When I logged in to reset my password, it prompted me with 3 security questions.  Apparently these are questions that I or my wife chose from a list and answered at some point since the creation of our account over 6 years ago.

  • Where were you on January 1, 2000?
  • What was your first car?
  • What was the first concert you attended?

We called Apple Support and they first took me through a reset of my password.  I get a password reset email to the account on file–CHECK.  Password reset–CHECK.  Now enter the answers to your security questions.  Did my wife provide her answers or did I?  The Apple Support guy and I go back and forth with potential answers to the questions.  We tried everything–FAIL.  We’re making no progress.  “So what’s next?”, I ask.  He asks to confirm the credit card on file using the expiration date.  Now it gets even more interesting.

My last iTunes receipt from May, 2018 found in my email shows the last four digits of the credit card used to make the purchase but it does not tell me the expiration.   The receipt appears to be using our current credit card.  I provide the expiration date–FAIL.  It doesn’t match!  “So what’s next?”, I ask again.  And he reiterates that without any additional confirmation of my identity, he will be unable to restore access to my Apple ID and my iTunes account.  WHAT?

There is much more to this story.  I eventually got logged into my Apple account and happened to observe a different credit card and expiration date were on file different from the one used in my last iTunes purchase.  I can’t explain the difference.  I was able to eventually confirm the expiration date of the card on file, then confirmed the first 6 and last 4 digits of the card number, followed by the Support PIN (which is a one time PIN generated after you login to with your reset password).   With all of these things aligned perfectly, Apple was able to confirm my identity and reset my security questions so that I could regain full access to my Apple account.

The consequences of losing access to my Apple account would have resulted in losing access to most of my Apple content purchased over the past 6 years.  Our family doesn’t use Apple devices predominantly, but for Apple families this could be a very expensive loss.

Here are some lessons learned from my experience:

  1. Maintain your service accounts including User ID, password and email address on file.  What is my email address on file was non-existent or no longer in use?
  2. If the website or online service uses “security questions”, write down the security questions AND the exact answers to them.  Keep these answers safe along with your account password.
  3. Keep a list credit cards stored on file with websites or online services.  I realize this is a a lot of document but it would have helped in my situation AND it enables you to keep track if you change credit cards or have to renew information when cards expire.
  4. If using 2FA or 2-Factor Authentication:  document the kind of 2FA that you setup with each online account and any backup codes to use if you lose your 2FA method.
  5. If you use any apps like Google or Microsoft’s Authenticator apps as a second factor, make sure to configure and document “backup codes” in case you lose your phone containing your “second factor” of authentication. THIS IS HUGE!
  6. Setup alternative email addresses and cell phones as avenues for confirming your identity.  So many people use ONE device that has their email account, phone number, text service and second factor of authentication all in one device.  If your phone is lost or stolen, and you need to access your online accounts, you will need alternative ways to login and provide a second factor of authentication.
  7. Have a backup security account at another email provider.  Don’t put all of your eggs in one online service provider!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s