Re: PSA: Do NOT use the insecurity misfeature of a secret question. And #getagrip.
xkcd 565, “Security Question”
Seriously, I do think that some companies are probably exploiting this fantastically stupid insecurity misfeature to suck more personal details out of people. There is no way that such ill-conceived security theatre could be so popular, unless someone benefits. It is widespread on sites owned by companies that make money off of personal data. These companies have professional security teams, who should know better. People answer these questions with all sorts of obscure details about themselves. Cui bono?
It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting. Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?
It seems not obvious at all. Maybe he is doing what he said: Trying to help users to improve their account security, and ultimately to help the forum to tighten security. Maybe?
The PM he sent doesn’t make sense for gaining access to the accounts. It provided good advice. The way he benignly flushed out two DT accounts with extremely poor “secret question” answers was a work of art. I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory. And no need to rehash the first three pages of discussion on this thread.
I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.