Can websearch reveal your security answers?

Some of us want to know where our family came from, right down to village, county, and country. Some want to know if they had a family coat of arms in the “old country.” Some want to know if they are long-lost royals. And some couldn’t give a hoot.

But if you are a banker in the age of the internet, you should not only care about what can be found about your customers, but yourself, because of the potential impact that easily researched data could have on the security of your clients—and yourself and your bank.

Recently, FamilyTreeNow.com gained attention when an Alabama woman tweeted about the risks it poses to peoples’ privacy. FamilyTreeNow claims to be a site dedicated to free genealogical research. Users can enter their first name, last name, and state and retrieve information pertaining to relatives and possible associates. The site also displays information including birth year, age, and former and current addresses.

The amount of information conveniently gathered in one location frightened many people, and concerned consumers flooded the site to opt out and remove their records from the database. After 48 hours, the records of most people who chose to opt out disappeared from FamilyTreeNow. Can these consumers rest easy knowing their information is safe?

Paranoia time

No, not really. Despite its benevolent appearance, the internet is no innocent creature.

Short of completely withdrawing from society, there is no way for the average American consumer to completely protect their personal information without paying for a service, which can cost well over $100 per year, to continuously scrub the web of their name.

So how does all of your personal information end up on public websites, then? Where does it all come from?

The grocery store down the street. The big-box retailer in the middle of town. The department store in the mall. All of these places gather your information, such as contact points or your shopping habits, in a process called “data mining” and sell it to companies called “data brokers.” Data brokers also buy information from government entities or collect it from publicly available records, such as phone directories, and “scrape” data from social media profiles.

Data brokers then sell this data to other companies, such as health insurance providers, retailers, and organizations such as WhitePages.com and FamilyTreeNow.

Retailers typically use the information to advertise specific products to customers who are most likely to be interested in the product. Health insurance companies use it to flag health problems and unhealthy decisions, such as people who purchase large amounts of fast food or buy cigarettes. WhitePages and FamilyTreeNow buy contact and personal information and promote themselves as “people search” websites to employers performing background checks or family searching for contact information for a wedding invitation. Some of these companies also generate income from the advertisements placed on their websites.

“People search” websites seem to especially concern consumers. There, they can clearly see what types of personal information the internet has gathered about them, and people with nefarious purposes may use that information for their own gains.

What’s out there isn’t always right or relevant, but it can be upsetting for some to see how much of what’s out there is.

What does the web know about me?

In order to test the internet’s “knowledge,” a volunteer from our firm conducted a small experiment to see how much of their own information could be found on such public sites.

A quick Google search for “free genealogical research websites” revealed many options for people who wished to quickly and cheaply search for long-lost relatives or discover their royal roots. “50 Free Genealogy Sites to Search Today” popped up as the fourth option from the top. Sites like FamilySearch, WikiTree, RootsWeb, and Crestleaf came up. Many were more comprehensive than FamilyTreeNow.

Our volunteer first visited FamilyTreeNow and entered their name and state. The site brought up two records, one of which matched their age and birth year. They clicked on it and found references to their maiden name, possible relatives and associates, and past and current addresses. Although the site correctly matched the name of their spouse, parents, sister, and two grandparents, it did not directly name the relationships between the individuals noted. A clever person could probably guess, but they would have to sort through a number of names that our volunteer did not recognize.

On FamilyTreeNow, they entered the name of their great-grandfathers. No records. Great-grandmothers. No records. A genealogical researcher would find this website next to useless. However, a criminal looking for information to guess a password or commit identity theft might find it helpful, but a clever criminal would use other sources along with it…

Next, our genealogical guinea pig experimented with FamilySearch. This website searches U.S. Census records, death records, marriage records, obituaries, and other databases for matches to the criteria the user adds, such as name and event dates. Researchers can even search for a person based on a relationship with another person.

The “72-Year-Rule” dictates that census records can only be released after 72 years, to protect the sensitive information of U.S. citizens. So, for example, the 1930 census records were released in 2002, and the 1950 records will not be released until 2022. The volunteer was not alive for any of the publicly available censuses, so their own name did not retrieve any direct record.

They decided to try typing in their father’s name. Again, no direct records, but they found his name mentioned in a record called “United States, GenealogyBank, Obituaries, 1980-2014” in an obituary for their deceased grandfather. This record contained their grandfather’s birth and death dates; the city and state where he was born and died, and the newspaper where the obituary ran. Below that in a “Spouse and Children” section, the names, relationships, and gender of their grandfather’s relatives including his wife (her maiden name included) and three of his seven children (our test subject’s father among them).

The site also included “Parents and Siblings,” which was not complete, but included most of the correct relatives, and “Extended Family” which included their grandfather’s cousins and in-laws. The “Others on Record” section showed the names of the remaining four children, as well as their spouses, but the relationship to the record’s subject showed as “Unknown.”

For ID thieves, an open-book test?

Now, why should this keep you up at night? Consider some of the most popular security questions used on many websites—perhaps your own bank’s or those of vendors your bank uses:

• In what city were you born?

• On what street did you grow up?

• What high school did you attend?

• What is your high school’s mascot?

• What is your mother’s maiden name?

• What is your father’s middle name?

To her horror, our volunteer admitted that they could have answered 100% of these questions using the addresses found on FamilyTreeNow, the relative relationship information found on FamilySearch, additional Google searches for the name of the high school in their father’s hometown, and some logical conclusions based on the data. (And we’re not even getting into what people post about themselves on social media sites.)

All it required was a name and 30 minutes.

Rethinking security in light of easy research

You can’t opt out of such disclosure because genealogical research websites gather information from public records such as U.S. Census data, marriage records, death records, digitally archived newspapers, obituaries, and a number of other sources which are readily available to anyone with web access. Your current and former addresses are available on dozens of sites such as WhitePages and Addresses.com.

Your information is out there, you cannot protect it, and it’s not going away. If someone picks you as a target for identity theft and they need to know your previous addresses to access your credit report or hack your email account, they can.

So, what can you do?

1. If any of your security questions for any of your online accounts match the bulleted items above, change them, if you can.

Failing that, change the answers—security questions are not an honesty test. As demonstrated, the real answers to such questions are far easier to crack than most realize.

2. Know what information is out there.

Social media reveals intimate details about your life that can help a criminal hack your accounts or steal your identity.

If you have posted a “Throwback Thursday” status or photograph about your first pet, Baxter the dog, you should not choose “What was your first pet?” as a security question for your online banking account.

3. Consider creating a unique personal identity only known to you.

Criminals need more than relatives, former addresses, birth dates, and the name of your first pet to steal your identity, but this information can provide very important pieces of the puzzle that a thief will need to complete.

Banks should be rethinking their security procedures in light of what anyone can learn in a websearch, and should advise customers accordingly, as well.

When it comes to identity, don’t assume that the Internet does not know you or your customers, because it does!