Don't let your public online information empower hackersBy Bill Dunnion
For instance, think of the questions your bank asks when you call its customer service line. The average set of security questions usually consists of address, postal code, date of birth, and perhaps your mother’s maiden name. And although that may seem legitimate, consider the types of information that are available online for would-be hackers.
Chances are your address is available through Facebook, maybe you’ve posted on LinkedIn, or maybe someone could simply look you up in the phonebook (yes, those still exist). That’s one security question down, and just a few more to go.
The second piece of information is date of birth. Again, from Facebook to LinkedIn, to Twitter and Instagram—the list goes on—one simply needs to troll your online profile information to get the date. And if you’re one of those folks who do not post your date of birth, the act of trolling an account for posts in which people publicly wish you a happy birthday takes only minutes. So that’s two down.
As for your mother’s maiden name, that again is easy. For instance, if your mother is connected to you online, then her siblings may be, too. I tested this theory with a friend’s Facebook account. Within minutes, I found birthday wishes from their mother, giving me access to her profile, which was open to the public / non-connections. Within minutes of that, I found posts wishing her a happy birthday from not one but two brothers. Maiden name: check.
So, in under four minutes, I was able to answer all security questions. But that’s not where this ends. Countless times through our enterprise security consulting services, I have come across a myriad of so-called security questions that are all accessible via public online information. Everything from questions such as the name of an employer from 10 years ago (LinkedIn) to four-digit security codes—a quick look on sites such as Facebook, Instagram, and Twitter gave me children’s birthdates, wedding anniversaries, and so on—all of which are common to use as PINs. A few simple tries and I again knock those off one by one.
Lastly, always remember that this type of information can be collected on the dark Web—an amalgamation of stolen data from a variety of sources making up the totality of your private data. In those cases, criminals simply need to run algorithms against you and thousands of others simultaneously to gain account access.
As mentioned in a previous article, Disney+ wasn’t hacked—their users were; the user information was stolen from other sites and, because the same password and emails were used for multiple online services, the Disney+ accounts were easy to gain access to.
The lesson here is a simple one: be mindful of your online presence. First, lock down your social media accounts so the general public can’t see even the most basic of information about you. Second, limit the information that you post on sites such as LinkedIn and Facebook.
Lastly, use different email addresses and passwords for personal and work-related online services, always ensuring your passwords are different for EVERY service. And if that sounds cumbersome, simply use a secure password manager such as LastPass to manage all passwords from one spot. And to be safe, add multi-factor authentication (MFA) to the mix to protect and notify you even if/when your credentials are leaked or stolen.
The reality is that cybercriminals now lurk around every virtual corner. Locking your virtual doors and ensuring the right security system is in place will prevent your data from being used for unintended reasons. We can all do our part to limit the access to hackers—and best of all, it’s just a few clicks away.