Privacy week is fast approaching, and in the lead-up to the 1st of May, we wanted to release an article about social media privacy and the impacts it can have on your online safety.
If you weren’t aware of how much time we spend on social media:
- In 2023, there are estimated to be 4.89 billion total social media users worldwide.
- The average person bounces between seven different social networks per month.
- The amount of time internet users spend on social media is now higher than ever — 151 minutes per day.
That’s 2.5 hours a day! And unless you’re living in a bubble, you’ve seen the ever-growing privacy concerns around how social media platforms compile, store, share and use our data. There seems to be something new popping up every day in the news, from government TikTok bans to the latest AI chatbot popping up in every Snapchat user’s friend list. We have already seen some frightening results from that chatbot.
But what are the privacy implications that stem from our use of social media, why should you be worried and what can you do about it?
It’s one thing to tell people what to do so they stay secure online, but when you don’t know why you are doing something or what the implications are if you don’t, it doesn’t provide much encouragement to do the ‘right thing’. In this article, you’ll learn 9 actionable steps to safeguard yourself on social media platforms and protect your privacy. But most of all, you’ll learn the reasons why implementing these measures is crucial. When you understand the whys, you have an actual reason to do it.
Use strong passwords and MFA
Number one on the list is using strong passwords and multi-factor authentication (MFA). You would be hard up to find any online safety or cybersecurity recommendations without this high up on the list. The reason is, if a threat actor gets hold of or can guess your password, they have access to your accounts. This could be your computer, social media, bank accounts, email, file and photo sharing, the list goes on. And it’s terrible to stay, but a large percentage of people still use the same password across multiple or all of their accounts. So a threat actor with that 1 password has access to EVERYTHING!!!
But how do they get your password and other information you ask? There are many ways, but the most common are:
- Phishing emails – A threat actor sends you a fake email enticing you to click a link to visit a site and log in with your credentials. The link goes to a fake website that looks like the real one. You enter your credentials and the threat actor captures them. With your credentials, they have access to your account.
- Keyloggers – The threat actor sends you an email with an attachment that is actually malicious software (malware), or you go to their website and download the malware from there. When run on your computer, the malware installs a keylogger which is a piece of software that records every key you press on your keyboard. So when you log into your online banking or any other site, the threat actor gains a copy of your credentials.
- Data breaches – When an organisation is breached, threat actors often download large amounts of data from that company, such as personal information and credentials. If you have an account with that organisation, the threat actor now has your password. If you reuse that password on other systems or online services, they can now access those accounts. Often they need to ‘crack’ these passwords, as they are in a hashed form, but when you use a weak or simple password, it takes very little time to crack.
As you can see, reusing or having weak passwords can have an enormous impact on you personally if your password is compromised.
So what do I do to reduce this risk?
- Use strong passwords and a password vault – We all have dozens of accounts to various online services nowadays so it’s not feasible to create complex passwords and remember them all. This is why people tend to use the same password across multiple accounts. It’s just easier. Password safes are a technical solution to this problem. A password safe is just a secure application that stores your account details and passwords. It also helps you create long, complex passwords. Once created, it saves these passwords for you so you don’t have to remember them. All you have to remember is one password, the password to open the vault itself. When you access one of your accounts online, you enter your vault password and the vault enters the password to that online account for you. Easy! When people ask I always recommend 1Password as it’s been around a long time and is very easy to use. It also has family accounts which are great for implementing strong passwords across your family.
- Don’t reuse passwords – As we have discussed above, never reuse a password! If it gets compromised, any account that uses that password is potentially compromised. Using a password vault makes your life easier and removes the need to continue reusing passwords.
- Use MFA – Multi-factor authentication (MFA), also known as two-factor authentication (2FA) when you are limited to two factors, adds an extra layer of protection to your account. Having just a password is known as single-factor authentication. You have one thing that proves you are who you say you are and is based on the principle of ‘something you know’ i.e. you know your password. MFA adds more factors to your authentication, generally ‘something you have’ e.g. your mobile phone or a hardware token, or ‘something you are’ e.g. your fingerprint or your face. MFA is highly effective in stopping the password-based attacks we discussed previously. If you just need a password to authenticate, if someone steals that password, they have access to your account. If you add an extra layer of authentication, such as ‘something you have’, you generally use an authenticator app like Google Authenticator or Microsoft Authenticator on your phone. When you log in to your account, once you have authenticated with your password, you are then asked for a secondary one-time password (OTP) that is generated by the authentication app. When using MFA, if your password is compromised, to access your account the threat actor would also need to physically steal your phone or need your fingerprint or face to authenticate. MFA reduces your risk enormously and I cannot recommend it enough. I have placed links at the end of this article on how to configure MFA for the most popular social media networks.
- Monitor for account breaches – More and more organisations are breached every day, so how do you know if you are in one of these breaches and you need to change your password? There are a number of free sources online you can use. One is Haveibeenpwned which lets you see if your email has been in a breach and what information was exposed. You can sign up to be notified if/when your email shows up in a new breach. There are other services like Firefox Monitor which will also tell you what breaches you have been in and notify you of any new ones. 1Password also has this built-in for every account you create through their Watchtower functionality. It monitors the services you have accounts with rather than just the email you signed up with, which is great if you use multiple emails or use a username rather than an email with any accounts.
Be careful what you share
Social media platforms are designed for us to share information and socialise. But if we are not careful about what we share, it can have an enormous impact on our privacy and safety.
At Morrisec we perform a lot of threat intelligence for our clients. It’s a critical component of most of our services as it provides valuable, contextual information to an organisation or individual on threats that may target or impact them. As part of this, we perform what’s known as open-source intelligence (OSINT). OSINT refers to the collection, analysis, and dissemination of information from publicly available sources. This includes information from sources such as social media, online forums, news articles, online reports and other publicly available information that anyone has access to. One of the greatest sources of information is people’s social media accounts because people love to overshare. Information gathered from social media has been the downfall of numerous organisations where I’ve been involved in testing them. From photos taken with their computer in the background showing what applications they are using and what anti-malware they have installed, to photos inside offices showing camera locations, types of office entry authentication technology, to wearing their corporate passes around their necks in photos making their passes easy to copy and duplicate.
But sharing information also poses many other threats outside the corporate world. Password reset questions ask for all sorts of personal, but simply attainable, answers. Names of pets. Maiden names of mothers. Friends names. Favourite colours. It’s not hard to do some digging to find most of these answers. Then there are risks that extend beyond the digital world, with stalkers and other lowlifes. This is especially worrying when it comes to what you post about your children, or what you let them post. Photos taken in school uniforms instantly provide information on where your kids are 6 hours a day, 5 days a week. Posting about your daily workout routine where your go for a run at the botanical gardens at 6 am every morning lets anyone know where you are, but it also lets criminals know that during that time every day you aren’t at home. It’s the same with holidays and vacations. We all want to post what’s happening so our friends and family can see, but it also tells a would-be thief your house is vacant for the next week while you’re away.
It’s a catch-22 with social media. We share and we place ourselves at risk. We don’t share and the platform becomes pointless and no one would use it. We need to find a comfortable medium by being wary of what we post and when. Here are a few things you can do to reduce your risk:
- Don’t post any images that have any type of identifying information – This includes pictures wearing your work pass, photos of your driver’s license or other sensitive documents, and even things like your boarding pass for the airline you are flying with have been used to compromise people’s personal information.
- Be wary of posting work photos – Don’t post pictures on work premises that could expose information that could benefit a threat actor, such as photos including your unlocked computer screen, door access scanners, cameras or other security devices.
- Avoid posting photos of your children in school uniforms – If the uniforms have identifying brandings like the school name or insignia, think before posting or block out the name/insignia.
- Don’t share information that you use in password reset questions – try and use password reset questions and answers for things that you would never post on social media or discuss with anyone.
- Be careful of what you share in your social media profile – Even if you have strong privacy settings (discussed next), your profile information is often shown as public to everyone so people can find you and ask to connect.
- Most of all, think before you post – For photos, look at the photo and what is shown in the photo and think ‘Does this have any private information or other details that I don’t want everyone in the world to see, including criminals and other nefarious characters?”. And this also goes for the text your write on social media.
One last thing. Bear in mind that social media accounts are a common source for those looking at hiring you for job roles. What you post could have an impact on getting that next position. And what we put on the Internet is generally there forever. So what your kids and teenagers post now could come back to haunt them in 10 years’ time. Be wary of what you post and what you let your children post.
Set strong privacy settings
Most social media platforms give you a decent amount of control over who can connect with or friend you, who can message you directly, and what they have access to see. The problem is, the default for most platforms is making your account fully open, as this supports the whole premise of the sharing and collaborative nature of these platforms.
Spend some time going through these settings and tweak them to what you really need. I’ve included a list at the end of this article on how to configure these settings on the most popular platforms. But ask yourself these simple questions before you make changes to these settings:
- What is my reason for using this social media platform? – Asking yourself this question will help you answer the next questions and ensure you are only exposing the information you want, to the people you need to. For example, is it how you share what you are doing with your friends, is it to share pictures of your children with extended family overseas, is it for your business, or are you trying to become the next social media influencer? These are all very different use cases that target different people and need different privacy restrictions.
- Who do I want to see my feed? – After answering the above question, you can decide if your account needs to be public or private. If it’s to just share with close friends and family, it can be private to those people you choose and authorise. If you want to be the next influencer, you want as many people connected with you as possible, so you need it to be open and public to all.
- Who do I want to direct message me? – Direct messaging allows people to message you, even if you aren’t connected or you don’t follow each other. By not letting people message if they aren’t connected with you, you stop potential threat actors trying to scam you plus you reduce spam and other unwarranted or risky messages. It’s an ideal setting for children as you don’t want just anyone on the Internet messaging them. But this is a decision you need to make based on your motivations for joining the social media platform. You may want to allow direct messaging as it is a potential way to meet new people, but it also opens the door to scammers and other threat actors.
- Do I want everyone who is connected to see everything? – Some social media platforms allow you to have different photo albums and provide access to different people. This is ideal if you don’t want to share more personal pictures, like your children or when you are on holiday, with the general public or other untrusted connections. Follow the security principle of ‘need to know’ where possible. Only allow those that need to see your posts, see your posts.
- Should I have multiple accounts? – Sometimes having multiple accounts may be the best solution. A social media influencer could have a public account that everyone can access and is carefully curated for what they present to the world. Then they have a second, unknown personal account that just family and friends have access to that has their personal, non-marketing posts.
Be cautious of strange messages from friends, family and colleagues
A very common attack vector that threat actors use is to compromise social media accounts and then use those accounts to contact the associated friends and connections. The reason they use this tactic is because you generally trust your friends, family, colleagues and other close connections. If you received a message from their social media account, you assume it’s them and trust what they have to say. This ‘trust relationship’ is what scammers prey on. They send out a message with a link or attachment enticing you to click on the link or download the file. The link will generally go to a malicious site they have set up or the file will contain malware that when downloaded, compromises your computer or device. You click the link or download the file because it comes from a trusted source. You’ve probably seen these in the past. That friend that suddenly posts about how they got involved in buying shares and made some fast money, and they are ‘sharing this information’ so you can get rich too.
If you receive a strange message that seems out of place, don’t click the link or download the file. Contact the friend through another source, for example, call them up on the phone and ask them. They may not even know their account has been compromised. Taking swift action is critical when trying to recover a social media account and also warn your connections of possible scams. I experienced this exact incident about a year ago with a friend from my gym. I saw a post on his Instagram that just wasn’t him, so I sent him an SMS and he called me straight up and told me his account was compromised and he was locked out. I worked with him over that weekend and we managed to get his account back, but it took some battling with the threat actor as you try and lock each other out of the account and take control. The longer the account is compromised the harder it is to take back control.
Only accept connection requests from people you know
This goes back to what your reasoning is for using social media, but in the ideal world, you only want to connect with people you know. On most platforms, when someone is connected with you they can then see who you are connected with. Some platforms give you more control over who can see your connections, even when connected, but not all. Be aware that when someone can see your connections, they can use those connections to potentially harvest information on you from those connections. For example, you might be super careful of what you post on your account, but if your less cyber-conscious friend is taking pictures that include you and posting them all over social media, this information is now available to anyone. When performing threat intelligence on individuals, we always look through the 1st connections of the target, at a minimum, especially their family and close friends.
If you are building a public persona then you are generally going to need to accept requests from everyone. This is where you need to assess whether you should have a second, more private account.
Force logout of unrecognised devices and sessions
Most social media platforms let you see what devices are connected to your social media accounts. This is an ideal way to see if someone may have access to your account. If you don’t recognise a device, or you are unsure, disconnect it. You can always reconnect if you accidentally logged yourself out of one of your devices. If it was an unknown device, change your password immediately so that whoever was connected to your account can’t reconnect. And make sure you have MFA turned on!
I’ve put links at the end of this article on how to see who’s connected on the major social media platforms.
Pay close attention to security alert emails
It’s rare nowadays for social media platforms, or most major online services, not to email you if a new device connects to your account or you have failed logins to those accounts. Make sure you review these emails and take action if required. If someone has tried to log in and failed, it’s probably nothing to worry about. If you start getting a lot of these alerts, you know someone is actually targeting you. If you have a new successful connection, you need to get in there fast, disconnect them, and change that password. It’s best to change the password first then disconnect them. If you disconnect them first you risk them logging back in before you change the password. This is when they could realise what you are doing, try and change the password themselves, and then they log you out! 😔
One note on security alert emails. Emails like these are often used for phishing attempts. They scare you into clicking a link to see what is going on, only to direct you to a malicious site where you log in with your credentials. If you receive one of these emails, don’t click any links. Manually go to the website in your web browser or use the app on your phone or tablet. It’s sad to say but this is the safest method for any email nowadays. Avoid clicking links in emails wherever possible.
Delete your old social media accounts
This is something most people never think about, their old accounts they no longer use. Most of us have signed up for a social media account, used it for a while, then let it die as we got little value from the platform or we migrated to the next more popular social network. But most of the time these accounts stay there indefinitely. You probably never installed MFA on the account, and you probably re-used an old weak password before you read an article like this and changed your existing ones 😉 If the account has been compromised, it’s unlikely you would ever realise and there could be threat actors out there pretending to be you, connecting with family, friends or colleagues, sending them malicious links or files, and causing havoc under your name.
If you have any old, unused accounts, log into them and delete them. Most platforms will let you remove an old account.
Keep your software up to date
Finally, make sure your software is up to date on all your computers and devices. This includes not just the operating system, like Windows, Mac OS, iOS or Android, but also the applications and mobile apps you have installed. This way, if you do fall for a phishing scam, or get tricked into downloading a malicious file, if your systems and devices are patched and you have active anti-malware, there is less chance you will end up compromised.
Make sure all your devices are set to auto-update, for your operating systems AND your apps. That way they stay up to date with no input needed from you.
Social media has become an integral part of our world, and society as a whole. As with most technology, it brings amazing benefits and potential to enhance our lives, but the flip side is it opens us up to a myriad of risks. Like most things in life, it’s the discussion about risk vs reward. You need to assess the risks against the benefits of accepting those risks. The good thing is, if you are aware of these risks and the potential impacts they can have on you, your family, friends and colleagues, it’s not hard to reduce these risks so you can enjoy your social media accounts and being online in general. Just follow the above steps and always be vigilant when online.
I have provided a number of links for sites and other information referenced above to help you reduce your social media risk online.
Share this article with friends, family, colleagues and co-workers, and stay safe online! 😁
0 Comments