312-50V11 · Question #910
While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and te
The correct answer is A. Matt inadvertently provided the answers to his security questions when responding to the post.. Matt fell victim to a social engineering attack where answering seemingly innocent personal questions on Facebook revealed the answers to his bank's knowledge-based security questions, enabling account takeover.
Question
While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and texts his friend, who confirms that he did indeed post it. With assurance that the post is legitimate. Matt responds to the questions on the post, a few days later. Mates bank account has been accessed, and the password has been changed. What most likely happened?
Options
- AMatt inadvertently provided the answers to his security questions when responding to the post.
- BMatt's bank-account login information was brute forced.
- CMatt Inadvertently provided his password when responding to the post.
- DMatt's computer was infected with a keylogger.
How the community answered
(43 responses)- A77% (33)
- B7% (3)
- C2% (1)
- D14% (6)
Why each option
Matt fell victim to a social engineering attack where answering seemingly innocent personal questions on Facebook revealed the answers to his bank's knowledge-based security questions, enabling account takeover.
Banks commonly use knowledge-based authentication (KBA) security questions such as 'What is your mother's maiden name?' or 'What was your first pet's name?' as a fallback for account recovery. By answering the Facebook post's personal questions, Matt unknowingly disclosed the exact answers his bank would accept to reset his password. This is a classic social engineering technique designed to harvest security question answers without the victim realizing the true intent.
Brute force attacks systematically try password combinations and do not rely on the victim interacting with a social media post - no post interaction would have been needed for a brute force attack to succeed.
The post asked general personal questions, not for Matt's actual password - there was no mechanism in the described scenario for Matt to have directly entered or transmitted his login credentials.
A keylogger is malware installed on a device that records keystrokes - the scenario describes a social media post interaction with no indication of a malware infection, and the friend confirmed the post was legitimate.
Concept tested: Social engineering via security question harvesting
Source: https://csrc.nist.gov/publications/detail/sp/800-63b/final
Topics
Community Discussion
No community discussion yet for this question.