nerdexam
EC-Council

312-50V11 · Question #910

While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and te

The correct answer is A. Matt inadvertently provided the answers to his security questions when responding to the post.. Matt fell victim to a social engineering attack where answering seemingly innocent personal questions on Facebook revealed the answers to his bank's knowledge-based security questions, enabling account takeover.

Social Engineering

Question

While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and texts his friend, who confirms that he did indeed post it. With assurance that the post is legitimate. Matt responds to the questions on the post, a few days later. Mates bank account has been accessed, and the password has been changed. What most likely happened?

Options

  • AMatt inadvertently provided the answers to his security questions when responding to the post.
  • BMatt's bank-account login information was brute forced.
  • CMatt Inadvertently provided his password when responding to the post.
  • DMatt's computer was infected with a keylogger.

How the community answered

(43 responses)
  • A
    77% (33)
  • B
    7% (3)
  • C
    2% (1)
  • D
    14% (6)

Why each option

Matt fell victim to a social engineering attack where answering seemingly innocent personal questions on Facebook revealed the answers to his bank's knowledge-based security questions, enabling account takeover.

AMatt inadvertently provided the answers to his security questions when responding to the post.Correct

Banks commonly use knowledge-based authentication (KBA) security questions such as 'What is your mother's maiden name?' or 'What was your first pet's name?' as a fallback for account recovery. By answering the Facebook post's personal questions, Matt unknowingly disclosed the exact answers his bank would accept to reset his password. This is a classic social engineering technique designed to harvest security question answers without the victim realizing the true intent.

BMatt's bank-account login information was brute forced.

Brute force attacks systematically try password combinations and do not rely on the victim interacting with a social media post - no post interaction would have been needed for a brute force attack to succeed.

CMatt Inadvertently provided his password when responding to the post.

The post asked general personal questions, not for Matt's actual password - there was no mechanism in the described scenario for Matt to have directly entered or transmitted his login credentials.

DMatt's computer was infected with a keylogger.

A keylogger is malware installed on a device that records keystrokes - the scenario describes a social media post interaction with no indication of a malware infection, and the friend confirmed the post was legitimate.

Concept tested: Social engineering via security question harvesting

Source: https://csrc.nist.gov/publications/detail/sp/800-63b/final

Topics

#social engineering#security questions#information disclosure#pretexting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice