Viral Facebook posts a treasure trove for identity thieves

Every time you leave a comment about yourself on a public Facebook post, you're unwittingly giving ammunition to data harvesters, hackers and other malicious actors looking to gain a backdoor into your online accounts.

The social network is absolutely littered with seemingly innocuous posts asking users to comment and share — what was the name of your first pet? what was the make and model of your first car? what was the name of the street you grew up on? — and it's not uncommon to see that thousands of people have obliged. But a lot of these personal, quirky details are the same as those used by sites when you need to reset your password or prove your identity.

More than 25 thousand people posted about their first concert under one of these posts. The post about cars, from the same page, drew almost six thousand answers.

Since there are so many Facebook pages that do nothing but pose these sorts of questions and spread the posts as wide as possible, would-be attackers just need to follow along and harvest the data. Even worse, by commenting on such a post you're flagging that you're not opposed to giving this kind of historical information away, and an attacker could click through to your public profile and collect an entire cache of security question answers, along with potentially your full name, date of birth and email address.

"It seems pretty clear that criminals (and a whole host of other, perhaps not totally nefarious groups and individuals) are indeed harvesting such info from Facebook," security researcher Brian Krebs, who recently wrote a blog post on the subject, told Fairfax Media.

"Why wouldn't they? It's free, and people self-select for targeting."

Mr Krebs said it's not necessarily true that the pages themselves are run by people who want to utilise your data for their own purposes, as was the case with the recent Cambridge Analytica scandal. It just so happens that asking people to express something about themselves is one of the best ways to rack up big numbers of comments.

"Probably most of these are started by well-meaning companies and individuals", he says.

"Unfortunately, regardless of the intent, when people respond truthfully it opens them to fraud because their responses remain tied to their own profiles."

‘What was the name of your first pet’ is an incredibly common security question.

At a time when passwords are broken by algorithms or revealed through breaches rather than guessed by humans, and users are encouraged to use password managers to create complex and unique passwords for each account, security questions are a weak link. In most cases it will be easier to find out your target's mother's maiden name than it will be to crack her password, for example, and by giving data like that away on the public internet you're only making the hacker's job easier.

While Mr Krebs is not a fan of security questions as a practice, and suggests people either refuse to use them as a form of authentication or simply lie and use a method to keep track of their phoney answers, he said Facebook isn't necessarily doing anything wrong by allowing posts that ask for personal information, and he doesn't expect the social network to do anything about them.

"A better response is for these posts to be flooded with comments from people stating how bad an idea it is to respond truthfully", he said.

"Be judicious about what information about yourself you volunteer online, because in many cases once you publish the data it is very hard to remove.

"If you hesitate at all when deciding whether to post something, listen to your inner voice counselling caution. Or in other words, when it doubt, leave it out."

Source: Read Full Article