Bell Canada indicated that names, email addresses and, in some cases, phone number, user name and account number were accessed. Police are currently investigating this new breach, which follows after a 2017 breach of 1.9 million customer email addresses and 1,700 names and phone numbers.
Bell Canada didn’t indicate when the breach occurred or if it was connected to a prior incident.
Why Security Questions Aren’t Very Secure
While stolen email addresses may be less damaging than a stolen credit card number, email addresses do introduce risk because they offer an entry into other accounts of the email owner. In addition, social engineering scams like phishing often start with an email that dupes the recipient into clicking on a malicious link.
If the bad guy knows your email address, that’s one step piece of account-access puzzle. Another piece required to access your account might be a security question.
Here’s why relying on security questions to protect your account is not a good idea: the bad guy can likely find the answers by searching online or viewing social media. Your mother’s maiden name or the name of your high school are not particularly secret. (You may even be freely sharing these answers with a chatty person next to you on a flight.) If you have to answer security questions upon account setup, consider establishing a series of fake answers that only you know. A more secure option is to use multi-factor authentication as much as possible. Many online services offer this authentication option.
For organizations, having to fall back on outdated advice to customers about changing passwords or selecting new security questions is a reactive approach. If breaches are a matter of ‘when’, not ‘if’, organizations should strengthen their methods for online authentication. There are more secure options to manage access, such as multi-factor authentication, dynamic knowledge-based authentication, and behavioral biometric characteristics. Even an option for the user to create his own security questions (with answers that are more private) is a better solution.