The Stupidity of Security Questions
Posted: May 3, 2015 | Categories: Miscellaneous
Today I thought that Mother's Day was tomorrow. My wife informed me that it's not tomorrow, it's next week. Dodged a bullet there. I've been experimenting with the Echo, trying to understand what she understands and what she doesn't. Did you know you can get her to stop playing music by telling her 'Shutup b#tch'? That surprised me, but at the same time, didn't. Anyway, I asked her when Mother's Day was and she told me it was the second Sunday in May. I didn't know that, so it was nice to have that detail. I really wanted the date, so I asked her "What date is the second Sunday in May". She didn't understand my query for some reason. As you can see, I didn't ask her what I really wanted to know, so my fault for her getting it wrong. What I really wanted to know was the date for Mother's Day, perhaps I should have asked her that.
I was looking at the echo app a little while later and noticed that the app was showing me what she heard and asking whether she got it right. What she heard was "What is the second Sunday in Maine?" Close, but wrong. I indicated in the app that she got it wrong and once I did that, a pop-up, well, popped-up asking if I wanted to provide more feedback, so I said yes and entered what I was trying to search for in the input field. When I clicked Submit (or whatever it was) apparently it sent an email to Amazon with my feedback.
Cool stuff, get me to help them tune her algorithm. It's Google Voice all over again.
What happened next is where it got…weird. A few minutes later, I get a call from an Amazon Echo support person wanting to talk with me about my issue. That's cool; not what I expected, but cool.
As I started to talk to the guy, he said he couldn't talk to me until I confirmed the answers to some security questions. What? You called me and you want ME to confirm the answers to some security questions? Nope, no way – refuse to do it.
It's a closed loop, from the Amazon Echo app to Amazon support all the way back to me. What value is there in me proving that I'm who I say I am? You called me, right? I don't have an issue when I call them and they need my security questions answered in order for me to prove I'm me. But when you call me, I really don't feel inclined to confirm to you I'm who I say I am.
You called the number you have for me in your system and I answered. I'm not trying to make any purchases or change anything on the account, you're merely calling me about some feedback I provided you on the accuracy of the Amazon Echo's text recognition algorithms. No need for security questions in this case.
Anyway, just on principal, I refused to answer the security questions and explained why (that it was simply a matter of principal and I generally refuse to do stupid things unless I have no other choice). After I hung up, I thought about something. Answering the security questions IS a security issue – what if my email from the Echo app was intercepted (I can't understand why Amazon would use email for this and not a secure HTTPS connection through the app) and the phone call was a Phishing attempt to get my answers to my security questions so they can use them to impersonate me? Nope, not doing it.
What do you think? Am I crazy? Stupid?
Next Post: Where I Landed
Previous Post: Is Amazon Listening
If this content helps you in some way, please consider buying me a coffee.
Header image: Photo by Marcos Paulo Prado on Unsplash