In response to a recent query about security pitfalls surrounding social media, Jonathan Shuffler and I came up with the following tips and best practices:

  • When setting account security questions, do not use real answers.  A lot of security questions ask publicly available information, e.g., What is your favorite sports team?  An attacker would need only a few minutes to search your profile to discover what sports team you have been rooting for.  Make up an answer you can remember or answer with the opposite of the question.
  • Enable two-factor authentication for all your social media accounts.  Popular social media platforms such as Facebook, Twitter, Instagram, LinkedIn, and many others have rolled out two-factor authentication.  Two-factor authentication is one of the best ways to protect your account from being directly compromised.  This authentication can protect your account even if the attacker has your password.
  • Use a different username and password combination for everything.  This is an old strategy that is often not followed because it is difficult.  Luckily, a password manager can make this less difficult; just be sure you take the proper steps to protect your password data. Never use the same username and password combination in order to minimize the damage when a breach occurs.
  • Always configure your privacy settings.  Best practice is to keep your account private and searchable by only friends when the account is going to be used for personal information, e.g., Facebook.  If the social network is meant to be public, like Twitter, feel free to keep it open to the Internet but keep in mind that every Tweet is available to the world.  Above all things, always think twice before you share information to the world as there are no “take backs” on the Internet.
  • Be careful when adding or accepting people on social media platforms.  It is common for an attacker to copy a picture of one of your friends to use an their own.  If your account is going to be used for semi-private information validate that the request is actually coming from the person that sent it.  If you are friending strangers, keep in mind the muscular man or pretty woman could very well be a program or spammer in disguise.