Wednesday, May 13, 2009

Social Media Security

Have you ever signed up for a service like online banking or bill paying or created an account and there was a selection of "security" questions in case you lost or forgot your password?

Have you ever filled out a questionnaire on Facebook like 44 Things About Me?

Is your family tree online somewhere like or

The ongoing and increasing trend of sharing information online whether through quizzes or just the generalized oversharing that can happen on Twitter is leading toward a security perfect storm. Data mining from various public personae and profiles and too common questions online means you don't even need a password cracker to hack into someone's account. Just patience and savvy.

A perfect example of this came during the 2008 Presidential election when Veep candidate Sarah Palin's Yahoo! email account was hacked after a resourceful search online:

The individual, known on the blog post as Rubico, said that he was able to determine that Palin met her husband Todd in high school, along with her date of birth and zip code from Internet searches on Wikipedia and Google. Altogether, the hacker said that the process took no more than 45 minutes by experimenting with different word combinations until deriving at the correct word order.

Now think carefully over the various places you've set up accounts. Do any of them have a password reset feature that allows you to select from a list of four or five security questions? Have you ever filled out an online family tree that includes your mother's maiden name? If you've answered any number of fun online questionnaires from your friends, have you compromised your security? Plus, the average password is so average that lists circulate online. Add that to social media sharing, and if you haven't been hacked, maybe it's only a matter of time.

Phishing scams, too, are starting to become more and more prevalent on social networking sites because of their growing popularity. Phishing involves sending what appear to be legitimate emails from trusted organizations such as banks or eBay or requesting passwords or stating that passwords or other sensitive information needs to be "verified" or "confirmed."

Compromising your security can be as easy as finding a profile on Facebook, scrolling through the list of friends, then creating a fake profile with the same name as one of the friends. A "friend request" from this fake profile that includes a message like "Hey, Facebook suspended my other account, so now I have to make a new one," will be accepted at face value by most users. Once you've friended these scammers, everything you do and say can be parsed for information.

Still feel like announcing to the world your upcoming vacation plans?

And individuals aren't the only ones susceptible to getting hacked in easy ways like this. Go to a person's info page on Facebook, write down their email and you have one half of the info needed to log in as that person. Enough good guesses at their password and any pages they administer for businesses are compromised as well.

So not only users, but businesses need to consider what kind of social media security they want to have in place. Admins and superusers need to take more stringent security measures than average ones, but every member of a businesses social media team (and all employees of a business on/in social media) need to be careful not to compromise security.

A few ground rules are helpful:

  • Differing sites need differing passwords. And update passwords regularly, avoiding obvious choices.
  • Never follow an email link to a service you normally use and provide passwords (go to the main site and navigate to what's needed from there).
  • Never tweet, post or otherwise write about sensitive company information online.
  • And consider carefully when you're posting information that might overlap somewhere else.

The important thing to always remember online is that pretty much once it's out there, it's out there forever. Think before you type, think after you type and think again before you hit enter.

Now go have fun.

No comments: