Viral Surveys On Facebook Are Fraught With Risk

In late April 2017, a seemingly innocuous Facebook post went viral. To partake in the fun, Facebook users simply list the names of 10 musical events/concerts they had attended in person at some point in their lives. Nine of those concerts should be true, and one is supposed to be a lie. Once posted, friends could comment on which concert they believed to be false.

The problem with the “10 Concerts I’ve Been To, One Is A Lie” post is that it provides a wealth of information that hackers can use to log into personal accounts and steal the identities of unsuspecting Facebook users. Many websites nowadays leverage knowledge-based authentication (KBA), which uses security questions to verify your identity, such as “what was your mother’s maiden name,” “what was your first car,” or “what was the first concert you attended?”

People playing “10 Concerts” probably will include the first one they attended. And a glance at the comments section probably will reveal which concert it was. And just like that, a malicious person can begin to take over a person’s identity.

“Privacy experts [caution that the “10 Concerts” post] could reveal too much about a person’s background and preferences,” warn Christopher Mele and Daniel Victor in their article, “’10 concerts’ Facebook Meme May Reveal More Than Musical Tastes,” in The New York Times. “The post sounds like a security question – name the first concert you attended – that you might be asked on a banking, brokerage, or similar website to verify your identity.”

Cyber security professionals and students pursuing a degree in cyber security should be aware of this threat and others like it.

Cut-and-paste social media surveys have been popular for some time now. Typically, a user will copy a question or list of questions from a friend’s status or a Facebook page, paste it in his or her own status box, and replace the previous user’s answers. Many such surveys contain questions that could easily reveal information used in KBA security questions.

For instance, a Facebook status survey offered by the Facebook page Status Games includes such questions as:

1. Who was the last person you texted?
2. Where was your profile picture taken?
3. Have you ever lost a friend?
4. What song did you listen to last?
5. What’s your relationship status?
6. How many siblings do you have?
7. What are your brothers’/sisters’ names?
8. Where do you wish you were right now?
9. Ever have a near-death experience?
10. Something you do a lot?
11. Are you currently angry at anyone?
12. What’s stopping you from going for the person you like?
13. When was the last time you cried?
14. Is there anyone you would do anything for?
15. What do you think about before you fall asleep?
16. Who was the last person you talked to on the phone?
17. What is your favorite song?
18. What are you doing right now?
19. Who do you trust right now?
20. Where did you get the shirt you’re wearing?

The answers to these questions could provide a vast amount of information from which a hacker could derive or guess the answers to security questions. If a certain name pops up frequently, chances are the name might be included in passwords or the answers to security questions. Other questions can reveal favorite colors, favorite bands, important dates, and even the schedules and habits of targets (when they are home, when they are on the internet, when they go to work, when the house is empty).

Skilled hackers will know how to extract the information they are looking for from even the most harmless-seeming questions.

The use of phishing and social engineering tactics to extract sensitive information is becoming more and more prevalent on social media. Computer and network security systems have evolved a lot, so hackers are finding now that it’s easier to hack people than computers. Once they get the information they want from the person they are targeting, they have no problem logging into a secure server and stealing valuable information.

Setting the privacy of each post to anything other than “public” can help a little, because those who are not connected to you will not be able to see your post. However, fake friend requests can give access to unknown parties pretending to be someone they are not.

“The attacker sends out fake friend requests with their own profile, so as to enlarge their network,” explain Zhiyong Zhang and Brij B. Gupta in their 2016 academic paper, “Social Media Security And Trustworthiness: Overview And New Direction,” in the Future Generation Computer Systems journal. “If the users accept the fake requests, it gives the attacker more privileges and they are able to [retrieve] more information from the victims’ profiles.”

Recognizing the difficulty of preventing any and all types of fake requests, Zhang and Gupta say, “The prevention of fake requests is not possible, thus, the user should be more responsible over the social media.”

Almost all Facebook users, at one point or another, have accepted a friend request from someone they don’t know well, or from a friend’s hijacked profile. Once the request is accepted, that hacker has access to all of the user’s posts as well as other friends’ posts.

If KBA security questions are devised well from the start, social media users won’t have to worry as much about accidentally giving away personal information to potential hackers. Many websites now allow a person to write their own security questions, rather than forcing them to choose from a drop-down menu. And still, other websites are learning to compose better security questions for their users to choose from.

To be safer online, don’t choose the same common security questions and password options that everyone else does, blog poster Iamjames writes on his GeeksWithBlogs.net article, “How To Pick A REALLY Good Security Question.” Topics people should avoid include:

Some items could potentially change over time, and the rest are likely to be easy to discover simply by perusing a target’s news feed.

Instead, he advises drawing on something more obscure: “What was the last name of your third-grade teacher?” or ” What was the name of the boy or girl with whom you had your second kiss?” The answers to these questions should be easy enough to recall when needed but are not likely to be found anywhere on a social media news feed.

Maryville University’s online cyber security bachelor’s degree offers advanced training in cyber security, mobile security, digital forensics, and malware analysis. All skills are learned and practiced in Maryville University’s virtual training lab. Upon graduation, students may qualify for high-paying positions such as networking consultant, information security manager, security analyst, or network architect in some of the world’s largest tech companies. Contact Maryville University for more information.

Sources:

‘10 concerts’ Facebook Meme May Reveal More Than Musical Tastes – https://www.nytimes.com/2017/04/28/technology/facebook-concerts-attend.html

Status Games – https://www.facebook.com/permalink.php?id=341681106042401&story_fbid=363174447226400

Social Media Security And Trustworthiness: Overview And New Direction – http://www.sigdrm.org/~zzhang/papers/Social%20Media%20Trustworthiness%20and%20Security%20Overview%20and%20New%20Direction.pdf

How To Pick A REALLY Good Security Question – http://geekswithblogs.net/james/archive/2009/09/23/how-to-pick-a-really-good-security-question.aspx