}

How Social Media Posts Can Lead to Identity Theft

For National Cyber Security Awareness Month, we are resharing some of our most popular cyber security blogs from the past year to ensure you are staying #CyberAware online - whether at home or in the office.

hands holding a phone above a laptop keyboard

Scrolling through Facebook the other day I saw meme "Comment below if you remember your childhood phone number." I honestly don't remember whether or not I answered, but I shouldn't have if I did.

When I teach Learning Tree's System and Network Security Introduction, I talk about the idea of "information leakage". That is where an individual or organization accidentally discloses information it shouldn't. There was recently a news photo online that showed a computer monitor with a familiar yellow note paper stuck to it. If one zoomed in on the note, there was writing that looked to some suspiciously like a computer password. I don't know whether it was or not, but if it had been, it would have been an example of information leakage.

social engineering training: deceptions & defenses

Another good example is the throwing away of company phone lists or phone books when new ones come out. Those provide a wealth of information to those who grab them from the trash. That grabbing is called "dumpster diving" and is a common tool for corporate (or government) espionage. The phone lists contain not only phone numbers, of course, but names of individuals and their positions. That would allow an attacker to claim over the phone that he was, say, "Ahmed from IT."

The Facebook meme looked harmless enough. I remember the phone number I had when I first went to school (my parents drilled it into me as well they should have). What harm could there be in sharing it with millions of Facebook users? Well, that and questions like it are often asked as so-called "security questions" for account recovery!

I wrote about some of the issues with security questions on this blog back in 2012. In that post, I recommended answering the "security questions" with nonsense answers. The example from the title of the post was to answer "What is your dog's name?" with "Chocolate cookies" - an answer better suited to "What is your favorite dessert?"...

An attacker could try to access someone's email and request a password reset. If the reset requires answering a security question or two, and the attacker can do so, the account is compromised. If the attacker can compromise an email account, a social media account like TikTok, or some other types of accounts, the impact can be disastrous. He or she can then request a bank "password reset" email be sent to the compromised account, for example.

While such an attacker may not be targeting you or me specifically with the meme, the collection of answers may have value on the dark web. Being able to match names to old phone numbers may have value to the attacker community at large.

So, what should we do to defend ourselves? There are two general answers: first, don't provide that kind of information any social media platform like Instagram. Don't give out your mother's maiden name, the city where you were born, your favorite teacher's name, your dog's name, or anything else a bad guy could use to impersonate you.

Second, use "two-factor authentication" when you can. In my post We Are Still Picking Bad Passwords, I said,

passwords need to die a fast death, at least as we know them today. They can be discovered by watching someone enter them (shoulder surfing), sniffing, hacking servers and multiple other ways. They were fine when used in a "good fences make good neighbors" environment, but standalone single passwords are no longer appropriate for most uses. Multi-step authentication such as google authenticator provides a mechanism to add a second value for the password. The app generates numbers to be provided in the login process. The numbers change every 30 seconds. This means that a hacker needs not only a username and password but also access to the victim's app. Thus, disclosing the password would not be as dangerous. However, it doesn't remove the need for choosing good passwords.

The idea is to make it difficult on the attacker. As one who has been a victim of identity theft, I don't want anyone to have to go through the same thing!

Related Training:
Cyber Security Training

AUTHOR: John McDermott