Social Media Safety & Security

TweetI recently had the opportunity to be interviewed by a local television station’s news department about the recent spate of worms going around on Twitter. You can view the piece on YouTube. I wish there had been more time to cover the subject in more detail, but when there are only 2 minutes available in which to condense down and show 20 minutes worth of interview, some things are bound to be left out.

Because we talked about phishing scams in general as well as security on Twitter and Facebook, I thought I’d go over some details which I wish there had been more time to cover in the piece.

There Is Nothing To Fear But Fear Itself
Caution in your web dealings is always good practice and a little paranoia can be a good thing. But, I don’t think there is a need to be fearful of using Twitter and Facebook. These, and other social media web sites, can be very valuable and enriching tools to help you keep in touch with friends and family members and even meet new people you may never had an opportunity to meet otherwise.

Circles Of Trust
I use different social media sites in different ways and each site has its own trust level. For instance, on Facebook I only “friend” people I know or who are close friends of people I trust. I haven’t necessarily met everyone IRL (in real life), but I have some kind of ongoing relationship with them. My Facebook privacy is set to show my updates to only friends. This way, I can be a bit more free about how much personal information I post there.

On Twitter I will follow just about anyone and allow just about anyone to follow me from my mom to selected celebrities. I closely follow those whom I think will point me towards interesting and enlightening things to read, who will tweet things I find humorous, and whom I find otherwise interesting. I am very careful not to tweet too much personal information because I know Twitter is not nearly as private as Facebook.

I have also been playing with Foursquare lately. Because this service can offer clues as to when I’m home or not and where I am, I do not have each “checkin” ported to Twitter, but I do to Facebook. Again, I have more trust in those whom I friend on Facebook as opposed to the very public Twitter. In my short time on Foursquare I have been very choosy who I will allow to follow my status.

The Latest Twitter Worm
Problems on Twitter and Facebook tend to be more along the lines of phishing scams rather than a virus or malware infestation. In the case which prompted the interview for the TV spot, one would see a message in their Twitter Direct Message list, purportedly from someone they follow. Included in the message is a link which when clicked led to a very convincing, but bogus, login page inviting the visitor to provide their Twitter user name and password.

When the bogus login page was used, the user’s name and password was captured by the web site and used by a program to log into the unsuspecting person’s Twitter account and start sending messages to try to trick others into clicking the link and giving their Twitter user names and passwords to the phishers.  It’s amazingly simple, but clever. And it works – even against those who are rather social media savvy.

Protecting Yourself
I mentioned in the interview that you should be cautious about login pages which come from emails, tweets or Facebook wall postings. If you are asked to log in, check the URL in the address bar very closely. For instance, the login for Twitter is at www.twitter.com/login. So, if you see something like http://twitter.anyotherdomain.com you can know immediately this is a phishing site.

To better protect yourself, take the time to go to the login pages for your email, Twitter, Facebook, your bank, etc. Pay attention to the URL in the address bar as well as how the page looks.The URL in the address bar is much more difficult to fake than the look of the login page. Being familiar with the addresses will also help you avoid other phishing attacks which are more sophisticated and more difficult to detect.

Keep in mind, too, your bank is most likely not going to email you if there is a problem with your account and ask you for your user name and password. Neither is Western Union, eBay, PayPal, the FBI, the IRS nor any other government agency. If you get a message from your bank, or anyone else, with a link supposedly leading to a login page, don’t click on the link but instead type the address into your address bar – or (even better) click on the link in your web browser’s favorites list or booksmarks which you created earlier. That way, you can avoid the phishing site and know you are going to a legitimate site.

If you do receive an odd message which looks like it’s from someone you know, don’t be afraid to email the person and ask about it. It could be they actually did send the message. Go with your gut feeling: if it looks strange and out of place it probably is. It doesn’t hurt to ask. If the message didn’t come from them, they might appreciate knowing their account had been been compromised.

Be cautious of third party applications developed for services like Twitter and Facebook. There have been instances where people have set up malicious applications disguised to look like  a game or a useful tool to help you get more out of the site. Check out third party applications before you provide your user names and passwords to them.

User Names And Passwords
I did a piece last year about passwords which you can check out here: “Four Steps To Better Passwords.” In it, I advise people not to use the same password on every web site. This is especially important if you use the same user name on every site. Think about it in light of this situation: if you used the same user name and password for Twitter as your other services it would be very easy for someone to completely take over your online life. Think about having your email, social media, PayPal and/or eBay accounts taken over by someone else. It’s worth repeating: Use a different password on each web site which requires a password. You can use the pattern method I describe in the post linked to above or come up with your own system.

I even go so far as to have a different user name for my online banking account. I love the convenience of online banking, but I feel that convenience needs to be balanced against some healthy caution when it comes to keeping things secure.

Social Media Tip for Those With Teens
A friend of mine who has a teenage daughter vets those her daughter friends on Facebook very carefully. Before her daughter is allowed to friend someone on Facebook, she is required to explain how she knows the person and confirm the person is really who they say they are. I believe with teens this is a very prudent way to help prevent perverts from taking advantage of kids.

What Do You Think?
Do you have any hints to share about security on social media sites? Please tell us about it in the comments.

Image courtesy of KWTX

Tags: communications, community, facebook, social media, twitter