You are your biggest security risk
You. Yes, you. Not your A/V software. Not your bank, not your job, not your email provider. YOU are the biggest risk to your security. Almost all of us use some form of Social media, and almost all of us have put too much information on social media platforms. “But I’m more vigilant that the rest!” you shout. Here’s a few things you do wrong:
1. You use the same password for multiple accounts
If someone compromises your Facebook account, will they also have the password to your Twitter, Gmail, VK, Instagram, and other platforms? Probably. Will they have your bank password? Probably. You should always strive to use different passwords on different platforms. If keeping up with multiple passwords is too difficult, there are applications like KeePass and browser extensions to manage passwords. Though, I wouldn’t recommend utilizing browser based storage methods unless they’re open source and you know how to review code for vulnerabilities.
2. You overshare
Seems harmless, right? How harmful could it be for someone to have or know your telephone number, your address, multiple pictures of you and your kids, your parent’s names and addresses, your family members, your place of employment, where you were 20 minutes ago, what device you most often access social media with, who you communicate with, what circles you’re in, etc. You’ve put so much information on social media over the years that it would be trivial for someone to become you. Oh, and now the threat also knows you’re out of town on vacation. They’ve sent over some guys to ransack your house. Hope you locked up. (Although it doesn’t really matter. Do you think a locked door will stop someone? After all, glass is much more fragile than wood.)
3. You don’t know anything about Operational Security
Stop using free WiFi hotspots unless you’ve got a VPN to use too. Free WiFi = perfect MITM opportunity. All it takes is one person with a laptop to sit and watch every piece of traffic that passes over an unsecured network. If they can watch, they can intercept. That page that looked just like Facebook but didn’t load correctly when you input your credentials wasn’t bugged. It was a captive portal setup by that girl sitting over at that bench. You figure out which one I’m referring to.
4. You’ve done quizzes and “What will you look like in 50 years?!” photo manipulations
Congratulations. You’ve given whoever created that quiz or applet full access to your Facebook profile and your friend’s list. Anyone remember Cambridge Analytica? Ask them how they were able to obtain so much info about Facebook’s users with essentially no effort. Ask them how they got it without ever having to ask for it. Another threat with quizzes is they typically ask questions that could be phrase to gain the answers to your password reset security questions. Where did you grow up? What high school did you go to? Who is your favorite band? If you’ve ever answered those, you’ve likely given away the answers to your security questions. You make the work easy for them.
5. You still haven’t changed any default security settings
Do you want people you don’t know to follow you? Vanity says “YES! PLEASE!”. Security says “NO!”. Look, I get it. The number of followers you have today is as much of a status symbol as the Apple logo on your overpriced MacBook or the Mercedes Badge on your G Wagen that sits in your garage at night and weeps for the chance to finally go off-road. But how many of those followers are real people? How many are bots? How many followed you just to gain information about you? You have no idea. Turn on the option to approve new followers. Hide your tweets from people who don’t follow you. Turn on 2FA everywhere you can. Yes, even SMS based on Twitter. I know it’s not the best route, but it’s better than no route at all. And unless you’re a high-profile target, most attackers aren’t willing to put in the effort and energy required to conduct a SMSishing attack. (On another note, SMSishing is a dumb term. We need a better name for this type of attack. Is it “Smsishing”? is it “SMS-ishing”?)