Phishing attacks -- like the one that may have been behind the recent Twitter AP hoax -- will persist because they work. Social engineering scams will grow more creative in their efforts to con people into coughing up bank account info, network credentials and other sensitive data. And social sites -- all of which are predicated upon words like sharing and connecting -- will be a prime breeding group for such activity, even with tighter perimeter defenses such as two-factor authentication. We're still human, after all, and therefore susceptible to making mistakes.
"Social networking sites can roll out great levels of security," said AVG senior security evangelist Tony Anscombe in an interview. "The problem is at the other end of it, you've got users."
Should you delete your social accounts, unplug your router, throw your phone in the ocean and move off the grid? Keeping your information secure doesn't necessarily require drastic action -- but it does require action. Consider these steps to better protect your social media accounts.
1. You Guessed It: Use Strong Passwords.
It's been said countless times, yet people continue to use things like birthdates or "1234" as passwords. Even worse, they often use the same password across every account they own. That's not good enough. "That is primarily the number-one thing you must do," Anscombe said. Passwords don't have to be random or impossible to remember, but they do need to be tough to crack. "Make it difficult for somebody to socially engineer what [the password] is," Anscombe said.
[ What advice have we gleaned from the recent phishing attack on the Associated Press? Read AP Twitter Hack: Lessons Learned. ]
2. Review Your Apps, Add-Ons and Other Settings.
Anscombe noted that he checked his Twitter account prior to our conversation and was reminded of just how many other applications can gain access to your Twitter account. Yet many people forget to whom else they've granted access, not just on Twitter but on any social site. Take time to review your apps and other add-ons and revoke access from any you don't use or don't remember installing.
"We all download things to try to make it simpler for us, and then we don't use it or use something else," Anscombe said. "What we don't do is ever go back and decline those privileges afterwards."
Among other potential problems: Even when Twitter and other companies roll out two-factor authentication, it doesn't mean the other sites and apps that have access to your data will, too. To review your installed apps in Twitter, just visit Settings and then Apps. The site makes it simple to revoke access from there.
3. Be More Cautious with Mobile.
"Make sure your mobile phone is secure," Anscombe advised, adding that while most PC users these have some form of anti-malware protection in place, many folks don't take the same precaution on their mobile devices. At minimum, use a free security app. (AVG and many of its competitors offer one for Android and other platforms.)
Don't let a security app fool into thinking you've eliminated all risks, though. Anscombe noted, for example, that mobile browsers may make users more susceptible to phishing sites and similar scams. One reason is that mobile screen sizes sometimes make it hard -- or impossible -- to detect irregularities in a browser's URL bar. "The Web browser does that so you get maximum screen vision of the content rather than the address bar, but you don't have the same visual protections," Anscombe said. "They're trying to make it easier for us, but in [doing so] it also loses some of its security as well."
4. Sites Update Privacy Settings -- So Should You.
Regularly review your privacy and other account settings on social sites to ensure they meet your current expectations and needs. Sites regularly revise those settings; users need to as well. Otherwise, you might find your information being used in ways that you're uncomfortable with, Anscombe said.
5. Beware "Password Check" Sites.
Scams often ride on the coattails of other scams. A common one after high-profile breaches: Password-check sites. Paul Ducklin of Sophos noted in a recent blog post that while these sites are sometimes legitimate, they're often cons built to capture your credentials in the wake of other hacks. "That sounds like phishing, doesn't it?" Ducklin wrote. "And the reason it sounds like phishing is that it IS phishing!" Treat such sites with extreme skepticism.
If you're responsible for your employer's corporate Twitter handles and other social media, you should consider tighter controls over those accounts. Anscombe noted that even companies with very restrictive policies governing data security, external communications, content management and similar areas often don't treat their social accounts with the same degree of gravity, exposing themselves to unnecessary risks as a result.
Nate Ulery, who leads the IT infrastructure and operations practice at West Monroe Partners, concurred. Two-factor authentication on Twitter and other sites definitely helps, but don't expect hackers and criminals to simply log off and call it quits.
"While two-factor authentication will help minimize social media hacking risks, companies will need to continue to be vigilant in enforcing their security policies," Ulery said via email interview. "For example, Facebook's standard two-factor authentication is only required when a login occurs on a new computer or mobile phone. Since recognized devices can still access the account without the additional security requirement, malicious software installed on a PC or mobile phone could still potentially expose the social media account."