There is a dedicated type of hacker out there that deals not in code and zero-day exploits, but in psychology and social engineering. Their hacker tools include persuasion, cunning, manipulation that can achieve their ends in person, over the phone, and even highly-personalized phishing emails. Staying safe online means minimizing the publicly-available information that they can potentially use against you. As social media – and what is shared on them – proliferate, this task gets much more difficult. Fortunately, there are simple, concrete steps you can take to strike the right balance between staying safe and staying socially active. Here’s what you can do to preserve your personal online privacy:
Consider your privacy settings. At the very least, take in all the privacy options offered by your various social media and decide what works for you. Facebook, for example, lets you decide who can see your photos, biographical information, and posts. Don’t have your entire profile open to the public – consider limiting viewing privileges to friends, or friends of friends. While you’re at it, take a look at what third-party apps have access to your Facebook information. You’d be surprised at how many quiz games and Farmville-like apps from five or six years ago still have permissions to see your personal information, friend lists, pictures, and location history. Revoking these privileges for any apps you don’t use anymore reduces the potential vectors hackers could use to get to you.
Scrub any personally identifiable information. After you’ve picked the appropriate privacy settings, it’s worth taking a look at the remaining information that’s out there publicly and removing anything personally identifiable. Seemingly insignificant anecdotes like where you were born or your middle initial could be as valuable as a password. You’re more likely to reveal confidential information to a fraudster if he addresses you with your full name replete with a middle initial. You think he must be an authority if he has your full name, but he actually lifted it off your LinkedIn page. Moreover, if your birthday is plainly out there on your Twitter page, that – coupled with your mother’s maiden name found easily under “Family Members” on your Facebook profile – might be the only key information that the customer service representative at your bank needs to change your password over the phone.
Think like a spook. If you’re really keen on taking your online presence under control, incorporate some tradecraft into your social media usage. Don’t use the “check-in” feature available on some websites: where you’ve been and where you typically go is valuable information. If you must – for example if you’re on a trip to an exciting place – wait until you leave to check in, or fudge the dates so if someone calls you pretending to be your credit card company, you’ll know it’s a scam when they reference a purchase made in a place and on a day that don’t add up. Also, think about who you accept friend requests from. Unless you know who it is and their reason for friending you adds up, reject the request. Instagram and Facebook are rife with fake profiles complete with photos of scantily-clad women that try to extract information from you.
Red team yourself. STOP.THINK.CONNECT suggests owning your online presence. Every once in a while, log out of all your accounts and find as much as you can about yourself just from a Google search. Write it all down. At the end, ask yourself if you would want someone intent on stealing from you to have access to all that information. Between what is publicly available on your Facebook, Twitter, and LinkedIn, someone who is determined could probably paint a fairly complete picture of you – at least enough to get started on a social engineering campaign. It’s your information: own it and protect it.