Yesterday (29th October 2016), there was an ODI cricket match between India and New Zealand in which we saw the Indian cricketers sporting new tea shirts carrying the names of their mothers on their back. So Dhoni wore a jersy which read “Devaki” and Kohli wore a jersy showing “Saroj”. Other players also wore jersies showing their respective names of their mothers except one in which there was a “printing error” as we understand.
Women rights activists might have hailed the initiative of Star TV as a new found empowerment of women and importance given to the mothers. Apparently it was so. But for those who are aware of “Cyber Risks”, the first thing that struck was that what we were seeing was “mother’s maiden name” which is a typical parameter used for recovery of forgotten passwords in many of the websites. The dates of birth of all these cricketers are already known and that forms another critical parameter of recovery of forgotten passwords.
With two of the forgotten password recovery keys now being available to the millions of viewers, the social media accounts and may be some e-mail and bank accounts of our favourite crickets might have been placed at a risk of compromise.
So far security architects thought that there was some confidentiality in “Mother’s Maiden Name” and used it as a security parameter. This has been destroyed by the Star TV campaign perhaps without realizing the damage they have done to the system.
Now all companies who are using the “Mother’s Maiden Name” as a security parameter should drop it and use some thing else such as “What is your Pet’s Name”?, “What is your Favourite Actor?” etc. This is therefore a Y2K moment for all such companies to spend money to erase the “Mother’s Maiden Name” from the list of security questions.
I am not sure how much cost is there to the community in such a massive exercise ..all caused by some hair brained marketing person and/or the Advertising agency who/which thought of this campaign.
If there is any specific incident following this where a financial loss occurs to any of these cricketers, they should hold Star TV responsible for the loss and claim damages. At the same time, “Due Diligence” and “Reasonable” security practices would require recognition of this cyber risk by the security community and a change of processes wherever it is required to eliminate this “Known Risk”.