Just some suggestions from your friendly neighborhood cyber security dude.

I was doing a personal annual Facebook privacy review on my socials and was thinking about how we really trust our friends (and not friends) with a lot of information on social media.

Think about it, we give them access to our phone numbers, email addresses, birth dates, hometowns, current cities of residence, schools that we attended, and relationships; We even list what we like to eat, watch on TV and do for fun! Sound familiar? Yeah, these are what we use when we answer security questions on our accounts and then we turn around and post the answers to those questions right on our Facebook page!

I routinely surprise people with whom I’m not Facebook friends with, with information about them that I’ve quickly ascertained from just their public Facebook page.

We’re all familiar with those Facebook posts from our friends saying, “I’ve been hacked, don’t respond to messages or accept friend requests”. Most of the time, that friend hasn’t actually been “Hacked”. They’ve just failed to set the correct privacy options in Facebook settings and some scammer came along and, using the publicly available information on their Facebook page, duplicated their page enough for it to be believable and sent friend requests to everyone on their friends' list. Because people’s friends' lists are so big, people rarely criticize the requests and just accept them because of the familiar name. Once the request is accepted, messages usually follow with “Hi how have you been!?” and then a request of some kind.  Our friend then gets scammed and then we feel bad because we provided enough information publicly for the bad guy responsible to be able to impersonate us close enough to be successful.

Now, this is just information that is set to “public” on your Facebook account. Imagine if a bad actor were able to take over one of your friend’s Facebook pages by guessing their password. What kind of information could they get about us then? How many of your friends do you think use proper security hygiene on their socials? How many of them use good passwords with 2FA (2 Factor Authentication)? I just went to 3 people in my office and none of them had 2FA on their FB Login and one of them was using a commonly used keyboard pattern as their password. Facebook is notorious for its inability (or willingness) to help people get stolen accounts back, so how long will the bad guy have access to that account and thus to the information on your Facebook that you have set to “friends” that was intended only for the eyes of that original account owner? How many friends are going to broadcast to us that their accounts were stolen, and they couldn’t get them back? I have a friend that had her account stolen 2 years ago and to this point has not been able to get it back. The person that stole it still acts like her and posts on it regularly and people still don’t know it's not really her.

I understand people wanting to provide identifiable information so that old college buddy that you haven’t talked to for 20 years will know it’s you when he/she stumbles across or searches for your Facebook page. That’s the beautiful thing about social media. People we may have lost connection with over the years can find us using just enough information. What we really need to do is think carefully about what information people really need to know to find us, and once they find us what they really need to know once we finalize that connection via the ‘accept’ button.

To help with this, Facebook has made this easy to do with their “Privacy Checkup” tool in the “Settings and Privacy” menus on both mobile and desktop versions of the app. Unfortunately, Facebook has done little to let people know about this and people rarely use it. Launching the privacy checkup tool will walk you through a few easy-to-use wizards that allow you to decide how you want that information shared and who you want it shared with.

I’ll walk through the checkup tool section by section and discuss how I have mine set up with some of my personal reasoning behind it.

Feel free to use these as guidelines for setting your own up but understand, I’m a little more reluctant to give out information about me than most.

From the wizards:

Who can see what you share:

• Phone number – I set this to “Only Me”. If someone who already doesn’t have it needs it, they can message me for it.
• Email – Set this to “Only Me”. I use this as the username on most of my accounts and don’t want it getting out. If someone I trust needs it to email me something, they can ask for it.
• Birthday – I have these set to “Only Me” as I consider it something people could use to impersonate me. The people who need to know my birthday don’t need Facebook for that.
• Note, if you set this to “Only Me”, your fb friends will not know when its your birthday and you won’t get flooded with all those warm birthday wish posts on your special day! If this is something you value then, at a minimum, set your Month/Day to “Friends” and year to “Only Me”. If someone needs to know you year, they can ask.
• Hometown – I may have used this as an answer to some of my security questions, so I set it to “Only me”. This is one of those things that help people find you in searches though so if you want to make it available to the public, make sure no security questions use it as an answer.
• Relationship – I set this to “Friends”. Ideally, this would be set to “Only me” but then my new bride would feel like I wasn’t flaunting her enough and she’d be sad.  You don’t want this being “Public” as it would only make them a target as well.
• Address – I have these set to “Only Me” as I consider it something people could use to impersonate me. The people who need to know my address don’t need Facebook for that.
• Current City – I have this set to “Only Me”. The people who need to know this don’t need FB to know it.
• Education – I have this set to “Only Me”. I post this information on LinkedIn already where the people who need to know it can find it. It doesn’t need to be on FB.  
• Who can see your friends list on your profile – I have this set to “Only me”. I do this to protect my friends from possible scammers trying to act like me.
• Who can see the people, pages and lists your follow – I have this set to “Only me”. This stuff just gives people too much information about me for my taste. I’d set this to “friends” at a minimum and never “public”. It could give malicious actors enough information to phish you in some way. If someone needs to know what my interests are, we can talk about it over a cocktail in real life or something.
• Default Audience – “Friends”
• Stories – “Friends”
• Limit Past Posts – You can use this tool if you would like to limit who can see all your past posts in one sweep. This will change all your past posts visible to more people than just your friends to be visible to ONLY your friends at the time that you run it.

How to keep your account secure:

• My password is OK
• Two-Factor authentication is ON
• Login alerts are ON
• If any of these are off, set them up. These are what keep your accounts from getting stolen.

How people can find you on Facebook:

• Who can send you friend requests – I have this set to Friends of Friends. If I know you, chances are highly likely that we at least have one common friend. If not, you can message me and we can talk about it.
• Search Engines – I have this turned off. If people want to search for me, they can do so on Facebook.

Your data settings on Facebook:

• Use this tool to review what apps and websites you’ve given access to your fb page and remove things you no longer use.

Your ad preferences on Facebook:

• I turn all of these off because I want to minimize ads, but if you want targeted ads here, select what you want the ads focused on and turn off what you don’t.  

Social Media is a scary world (especially from the perspective of a cyber security professional) but using the guidance above can limit your exposure on Facebook and protect yourself and your family and friends from the bad guys.