by Eliot Leibowitz
There have been a lot of reports in the media about protection and privacy concerns with social media. How much do you pay to use social media? In most cases, you don’t, at least not with money. Always keep this in mind for all things on the internet; if it’s free, YOU are the product! The companies that provide these services are “for profit” businesses. They can’t do that by giving free services, so it is your information that they are selling, mostly to advertisers, to make a profit.
Facebook has received most of the coverage, but Instagram (now owned by Facebook), Snapchat, Twitter, Tumblr, and even LinkedIn, have their challenges as well. Facebook’s exposure of 87 million users’ data to Cambridge Analytica last year was a wake-up call to the risks imposed by social media. These breaches are usually about privacy, not security.
Privacy and security are different but closely linked. Privacy is the protection of information about you. Security is the sum of three factors, known as the CIA triad: confidentiality, integrity, and availability. Confidentiality protects privacy. It is what prevents others from seeing whatever data you are protecting. Integrity refers to the accuracy of data. If someone manages to change the amount or destination of a funds transfer, that is a failure of integrity. Availability is the ability to access data you are authorized to access. Ransomware attacks that encrypt your data so that you cannot access it deny availability.
Social media have challenges with both privacy and security. As I already mentioned, the privacy concerns are well publicized. The security concerns, however, you rarely hear about, so let’s start there.
Just as phishing was a security threat in email, it is just as much a threat in social media. In fact, phishing tends to be more successful in social media because the lures seem to come from friends. Another factor is that tiny URLs are often used in social media. These are shortened versions of URLs that allow you to post a link using fewer characters. These may begin with bit.ly, goo.gl, ow.ly, or tinyurl.com. Since the tiny URLs don’t show the actual destination link, you really don’t know where they’ll take you.
Worse yet, some apps like Facebook let you post links without showing the URL at all. Remember to hover your mouse over these links to see the actual URL. That may not work in some cases with tiny URLs. I saw a link to a Harvard Business Review article on LinkedIn. The post showed hbr.org, but when I hovered over the link, it showed a tiny URL instead. As it turned out, the tiny URL did go to the HBR article, but how was I to know? One way to know is to run it through a URL expander. You can copy the link (being careful not to click it) into ExpandURL and it will show you the full original link. Also run it through Google Safe Browsing to see if it is safe.
Take A Survey, Win A Phish
One phishing tactic that is popular on Facebook is surveys and quizzes. Since they often ask you to provide information about yourself, there are obvious privacy concerns, but there are also serious security risks. They seem innocent enough, but pay attention to what they ask. Perhaps they ask the name of your first pet. That also happens, not coincidentally, to be a common question for resetting your password on various websites, perhaps like the one you use for online banking. Seemingly harmless information can put your security at risk. With that in mind, think about all of the information you make available on Facebook, whether in your profile or the posts you’ve made through the years.
Another risk that surveys and quizzes pose is that they sometimes ask you to download an app or some form of code to run the survey or quiz. There are many ways to create Facebook surveys and quizzes that do not require anything to be downloaded. Asking you to do so is very suspicious. If you just love taking surveys, skip the download and find another.
Speaking of downloads, what about Facebook apps? Remember, if it’s free, YOU are the product. Here is what Facebook says about it:
“Keep in mind when you install an app, you give it permission to access your public profile, which includes your name, profile pictures, username, user ID (account number), networks and any info you choose to make publicly available. You also give the app other info to personalize your experience, including your friends list, gender, age range and locale.
An app may ask for additional info later when you’re using a feature of the app that requires it.”
The company that provides that app gets an awful lot of information about you. Who provided that app? It could be any developer, anywhere in the world, and neither Facebook nor you have any way to know what their intentions are. My advice is to remove any apps that you don’t feel are essential. If you don’t know what apps you are running, and there are usually some people who are unaware of this, go to Facebook settings and select “Apps and Websites.” There you can see what apps are active, remove them, or limit what information they can request.
Looking For Love In All The Wrong Places
The last social media topic cannot go without mention, as it is such a prevalent type of threat that cybercriminals are having increasing success with. It victimizes people looking for love, typically on dating websites, but it is also done via email, Facebook, and others. Scammers know which people are most likely to take the bait. An article in Psychology Today explains that “they prefer to pursue 45-to-75-year-old widowed men and women. The thinking goes that this demographic is most likely to have money and be lonely – in other words, easy marks.”
You may have heard or intuitively thought that many dating profiles are fake. Sift Science, a fraud prevention company, discovered that 10% of all new dating profiles created were fake in a 2016 study. They also found that users listing their age as 64 had the highest fraud rate. According to the Federal Trade Commission, people reported losing $143 million, up from $33 million in 2015, to romance scams in 2018 – a higher total than for any other type of scam reported to the FTC. The median loss per person was $2,600. For those 70 and over, it was $10,000!
What you may not have considered is that some of those fake profiles were created by the dating sites themselves. NBC affiliate WKYC recently ran a good report on this. Users got suspicious when activity on their account increased suddenly just before it was time to renew or at the end of a free trial. Then, after they renewed, activity dropped as suddenly as it had increased. The FTC sued a company in the U.K. that ran 18 dating sites for such activity. The case was settled out of court. All of the dating websites accused have denied any such actions.
How Do I Protect Myself On Social Media?
Since the principals are essentially the same for various social media apps, I’ll give specifics about settings and practices for Facebook that you can then apply to other accounts you have. Keep in mind that the protections I mentioned earlier for email (Note to Income Store: put link here to: Phishing Email Scams: What You Don’t Know Can Cost You) still apply for social media.
Here is where you can turn the lack of privacy in your favor. There are websites that allow you to gather information on an individual. That may sound a bit unethical, but if you are considering sending money to someone supposedly in need (which you should not be doing if you’ve not even met them in corporeal form) or going on a date with them, you have a right to know that they are at least a real human being. Sites like Pipl and PeekYou provide a reasonable amount of information for free and have paid options to get more.
As with email, it is very important to use multifactor authentication to protect against someone taking over your account. Facebook and other apps call it two-factor authentication. Twitter calls it login verification. LinkedIn calls it two-step verification. In Facebook, go to settings and select “Security and Login.” Click the Edit button next to “Use two-factor authentication.” There are several options. I suggest using Google Authenticator. Google’s 2-Step Authentication page will walk you through it. Alternatively, you can use SMS (texting numbers to you that you input on a designated screen), but that is much weaker and has been circumvented. Nevertheless, it is much better than just using a username and password. The other apps use similar steps in their settings.
While you’re in the security section, click the Edit button next to “Get alerts about unrecognized logins” and select “Get notifications.” If someone tries to log into your account from a browser you’ve not previously logged into Facebook with, you’ll get an alert asking if that was you logging in. If you answer yes, then all is good. You can then save that browser so that it will not send an alert the next time. If you answer no, Facebook assumes that someone is trying to break into your account and brings you to a password reset screen.
That’s a good start for securing your social media. Let’s address privacy in Facebook. Start with a feature called Privacy Checkup. It walks you through Facebook’s privacy settings. Accessing it is a bit different on the web and mobile versions. On the web, click the Quick Help button (question mark icon) and select “Privacy Checkup.” On mobile, select “Settings and Privacy” and “Privacy Shortcuts.” Then select “Review a few important privacy settings.” It will then walk you through some settings that you can review and change to limit what information is available to whom.
It’s Always Something…
It’s always something, whether it’s tax season, World Cup, Black Friday or Valentine’s Day. There is always something to entice you to click that link. It is really a matter of staying aware. Take that extra second or two to consider if something is not quite right before you click, download, log in, or give information.
In today’s world, the benefits of using the internet far outweigh the risks. Now you know how to minimize the risks and stay safe online.
About the Author
Having retired from his role as Security Practice Head for a global telecom company, Eliot Leibowitz is now leveraging his 30+ years of providing security expertise to Fortune 500 companies to write about cybersecurity, technology, and anything that grabs his interest. He is currently working on a couple of projects to make the online world a safer place. The Cybersecurity Awareness Project is a work in progress helping organizations with information on how to plan, build, and run security awareness programs for their employees. Simply Safe Online, still in its embryonic phase, will be a free resource to anyone interested in simple steps to stay safe online.