312-50V10 · Question #910
While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and te
The correct answer is A. Matt inadvertently provided the answers to his security questions when responding to the post.. Matt fell victim to a social engineering attack where answering a Facebook trivia post disclosed the answers to his bank's knowledge-based security questions, enabling a password reset by the attacker.
Question
While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and texts his friend, who confirms that he did indeed post it. With assurance that the post is legitimate. Matt responds to the questions on the post, a few days later. Mates bank account has been accessed, and the password has been changed. What most likely happened?
Options
- AMatt inadvertently provided the answers to his security questions when responding to the post.
- BMatt's bank-account login information was brute forced.
- CMatt Inadvertently provided his password when responding to the post.
- DMatt's computer was infected with a keylogger.
How the community answered
(26 responses)- A88% (23)
- B8% (2)
- C4% (1)
Why each option
Matt fell victim to a social engineering attack where answering a Facebook trivia post disclosed the answers to his bank's knowledge-based security questions, enabling a password reset by the attacker.
Banks commonly use knowledge-based authentication (KBA) security questions - such as first pet, mother's maiden name, or childhood street - as a self-service password reset mechanism. By publicly answering similar personal questions on the Facebook post, Matt unknowingly provided those exact answers to any attacker who could view the post. The attacker then used those answers to pass the bank's identity verification step and reset his password without ever needing his login credentials.
Brute-forcing a bank account is impractical due to account lockout policies, CAPTCHA, and rate limiting, and the scenario provides no evidence of repeated failed login attempts.
The Facebook post solicited personal trivia answers, not passwords, so Matt would not have typed or revealed his actual account password.
A keylogger requires prior malware installation on the victim's device, and nothing in the scenario indicates that Matt's computer was compromised.
Concept tested: Social engineering via security question answer harvesting
Source: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.