It’s all fun and games until someone’s password security question gets hacked.
A meme making the rounds on Facebook asks users to list 10 concerts — nine they’ve attended and a fabricated one — and invites others to identify the fake one.
But the post — “10 Concerts I’ve Been To, One is a Lie” — might also be an invitation to a midlevel threat to your online privacy and security, experts said.
The meme, which surged in popularity this week, is the kind of frivolous distraction that makes up social media interactions, similar to other viral memes, such as the Ice Bucket Challenge.
Privacy experts cautioned it could reveal too much about a person’s background and preferences and sounds like a security question — name the first concert you attended — that you might be asked on a banking, brokerage or similar website to verify your identity.
Michael Kaiser, executive director of the National Cyber Security Alliance, said on Friday that the meme posed a moderate security risk, adding that not every website relied on a security question about a person’s first concert.
He said the greater danger is what such a list might broadly reveal through social engineering. It could telegraph information about a user’s age, musical tastes and even religious affiliation — all of which would be desirable to marketers hoping to target ads.
He said it is similar to users who take quizzes on Facebook. The answers can reveal specifics about a person’s upbringing, culture or other identifying details. “You are expressing things about you, maybe in more subtle ways than you might think,” he said.
Mark Testoni, a national security and privacy expert who is chief executive of SAP National Security Services, said in an email that he recommended exercising “vigilance bordering on a little paranoia” in online posts.
“We need to understand how we interact can disclose not only specific details but patterns of behavior and often our location, among other things,” he wrote.
Alec Muffett, a software engineer and security researcher, wrote in an email that he is sympathetic to polls like the concert question. “They are cute, a little bit fun, you learn new things about your friends, and sometimes you get a surprise or two,” he wrote.
“There are certainly also polls that are geared towards collecting information which could be used to fraudulently ‘recover’ an account,” he added.
He said companies, governments and other groups rely on so-called authenticators, such as “What is your mother’s maiden name?” Such answers are not truly authenticators, but are facts.
“The usual aphorism is: ‘Your password should be secret, but ‘secrets’ make really bad passwords’ — especially when they are just discoverable or guessable facts,” Mr. Muffett wrote.
Mr. Kaiser agreed. In cases where the answer to a security question is easily obtained — what high school did you attend? — it’s best to make up an answer, even if it’s not as easy to recall.
He said his advice about online quizzes and memes was not meant to be a killjoy, though he encouraged social media users to consider the consequences of what they share.
“People always have to have their eyes wide open when they’re on the internet,” he said. “It’s the way of the world.”