Just some suggestions from your friendly neighborhood cyber security dude.
I was doing a personal annual Facebook privacy review on my socials and was thinking about how we really trust our friends (and not friends) with a lot of information on social media.
Think about it, we give them access to our phone numbers, email addresses, birth dates, hometowns, current cities of residence, schools that we attended, and relationships; We even list what we like to eat, watch on TV and do for fun! Sound familiar? Yeah, these are what we use when we answer security questions on our accounts and then we turn around and post the answers to those questions right on our Facebook page!
I routinely surprise people with whom I’m not Facebook friends with, with information about them that I’ve quickly ascertained from just their public Facebook page.
We’re all familiar with those Facebook posts from our friends saying, “I’ve been hacked, don’t respond to messages or accept friend requests”. Most of the time, that friend hasn’t actually been “Hacked”. They’ve just failed to set the correct privacy options in Facebook settings and some scammer came along and, using the publicly available information on their Facebook page, duplicated their page enough for it to be believable and sent friend requests to everyone on their friends' list. Because people’s friends' lists are so big, people rarely criticize the requests and just accept them because of the familiar name. Once the request is accepted, messages usually follow with “Hi how have you been!?” and then a request of some kind. Our friend then gets scammed and then we feel bad because we provided enough information publicly for the bad guy responsible to be able to impersonate us close enough to be successful.
Now, this is just information that is set to “public” on your Facebook account. Imagine if a bad actor were able to take over one of your friend’s Facebook pages by guessing their password. What kind of information could they get about us then? How many of your friends do you think use proper security hygiene on their socials? How many of them use good passwords with 2FA (2 Factor Authentication)? I just went to 3 people in my office and none of them had 2FA on their FB Login and one of them was using a commonly used keyboard pattern as their password. Facebook is notorious for its inability (or willingness) to help people get stolen accounts back, so how long will the bad guy have access to that account and thus to the information on your Facebook that you have set to “friends” that was intended only for the eyes of that original account owner? How many friends are going to broadcast to us that their accounts were stolen, and they couldn’t get them back? I have a friend that had her account stolen 2 years ago and to this point has not been able to get it back. The person that stole it still acts like her and posts on it regularly and people still don’t know it's not really her.
I understand people wanting to provide identifiable information so that old college buddy that you haven’t talked to for 20 years will know it’s you when he/she stumbles across or searches for your Facebook page. That’s the beautiful thing about social media. People we may have lost connection with over the years can find us using just enough information. What we really need to do is think carefully about what information people really need to know to find us, and once they find us what they really need to know once we finalize that connection via the ‘accept’ button.
To help with this, Facebook has made this easy to do with their “Privacy Checkup” tool in the “Settings and Privacy” menus on both mobile and desktop versions of the app. Unfortunately, Facebook has done little to let people know about this and people rarely use it. Launching the privacy checkup tool will walk you through a few easy-to-use wizards that allow you to decide how you want that information shared and who you want it shared with.
I’ll walk through the checkup tool section by section and discuss how I have mine set up with some of my personal reasoning behind it.
Feel free to use these as guidelines for setting your own up but understand, I’m a little more reluctant to give out information about me than most.
From the wizards:
Who can see what you share:
How to keep your account secure:
How people can find you on Facebook:
Your data settings on Facebook:
Your ad preferences on Facebook:
Social Media is a scary world (especially from the perspective of a cyber security professional) but using the guidance above can limit your exposure on Facebook and protect yourself and your family and friends from the bad guys.