Category: Security

Think before your post: understand social media risks

You’re finally on that dream vacation with your family. You take a second for a selfie on the beach and post it to social media. Your app tags your photo with your location and the following:

Young Asian woman wear straw hat in casual style use smartphone taking selfie In paradise for the next two weeks! #vacation

This is pretty common. We’ve all probably seen this in social media feeds or have done it, too.

But before you hit post, consider what you’re potentially sharing to strangers.

  • You’re away from home.
  • How long you’ll be away.
  • If you’ve posted photos earlier in your feed that have also been geotagged with your location of your home, potential thieves could find out where you live.
  • And how did they find you? The hashtag helped (#vacation). When you added it to your post, you made it searchable.

Millions of people are using social media every day. Most assume that when they log into their favorite app that they’re entering a safe, controlled environment. However, social networking presents unique security challenges and risks.

Who Else Is Online?

Social media sites are not well-monitored playgrounds with protectors watching over you to ensure your safety. When you use social media, do you think about who might be using it besides your friends and connections? Following are some of the other users you may encounter.

  • Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
  • Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
  • Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)

How Do I Protect My Information?

Although there are no guaranteed ways to keep your online information secure, following are some tips to help keep your private information private.

  • Don’t post personal or private information online! The easiest way to keep your information private is to NOT post it. Don’t post your full birthdate, address, or phone numbers online. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts, either. You can NEVER assume the information you post online is private.
  • Use privacy settings. Most social networking sites provide settings that let you restrict public access to your profile, such as allowing only your friends to view it. (Of course, this works only if you allow people you actually know to see your postings — if you have 10,000 “friends,” your privacy won’t be very well protected.)
  • Review privacy settings regularly. It’s important to review your privacy settings for each social networking site; they change over time, and you may find that you’ve unknowingly exposed information you intended to keep private.
  • Be wary of others. Many social networking sites do not have a rigorous process to verify the identity of their users. Always be cautious when dealing with unfamiliar people online. Also, you might receive a friend request from someone masquerading as a friend. Here’s a cool hint — if you use Google Chrome, right-click on the photo in a LinkedIn profile and choose Google image search. If you find that there are multiple accounts using the same image, all but one is probably spurious.
  • Search for yourself. Do you know what information is readily available about you online? Find out what other people can easily access by doing a search. Also, set up an automatic search alert to notify you when your name appears online. (You may want to set alerts for your nicknames, phone numbers, and addresses as well; you may very well be surprised at what you find.)
  • Understand the role of hashtags. Hashtags (#) are a popular way to provide clever commentary or to tag specific pictures. Many people restrict access to their Instagram accounts so that only their friends can see their pictures. However, when someone applies a hashtag to a picture that is otherwise private, anyone who searches for that hashtag can see it.

My Information Won’t Be Available Forever, Will It?

Well, maybe not forever, but it will remain online for a lot longer than you think.

  • Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So: be safe and think twice about anything you post online.
  • Share only the information you are comfortable sharing. Don’t supply information that’s not required. Remember: You have to play a role in protecting your information and staying safe online. No one will do it for you.

This content is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).


Protect your accounts with an extra layer of security

Everyone at Michigan Tech has used two-factor authentication (2FA) for their Michigan Tech accounts. You may know it better by its name—Duo. But did you know that the benefits of using 2FA reach far beyond your accounts at Michigan Tech?

If a website offers two-factor, we recommend you enable it. Read more below about how it helps protect your information.

Control in the Palm of Your Hand

Wouldn’t it be nice if all your accounts could let you know when someone new is trying to get into them? Even better, wouldn’t it be terrific to make a stolen password useless to others? Were you tricked into revealing your password through a phishing scam? Rest easy, your account is safe! That’s essentially the control that 2FA—also known as two-step verification, two-factor, or login approval—gives to you. And, it only takes about two minutes to set up and two seconds to use. That’s a lot of power for very little effort!

Two-factor authentication is one of the easiest and most available approaches to protecting online accounts.

How does it work?

Once you’ve activated two-factor authentication on an account, then you login to that account with your password, an authorization check will come to your smartphone or another registered device. Without your approval or current code, a password thief can’t get into your account.

Is it difficult to set up?

2FA is becoming more widely available and easier to use. Typically, you’ll either install a mobile security app on your smartphone and use that to handle the authorization checks for accounts, or you could use the text/phone call method if you can’t install a mobile app. For international travelers, the mobile app also generates a code so that a data or cellular service connection isn’t required for this second step. A physical token is another option. It’s a device with a single button that generates a passcode. It’s small enough to put on your keychain and works in place of a smartphone app.

Can I adjust the frequency of the checks?

In many cases, yes, although some accounts may require the verification for specific transactions or functions. You may want to have the extra verification every time you log in (e.g., Michigan Tech BANWEB), or you might be comfortable requesting the verification only when an access attempt comes from a computer/device other than the one you originally permitted when you set up 2FA—such as personal email account you typically only check from one laptop and one smartphone.

Which accounts should I protect with 2FA?

Why wouldn’t you protect all of them where it’s available? But, start with those that are most critical to your identity and livelihood. Here are some suggestions:

  • Email accounts: “Forgot password” reset requests typically send instructions and links here, so protect this account to make sure you keep control of resetting your account passwords!
  • Financial accounts: Protect your money!
  • Social media accounts and website management accounts: Protect your brand!
  • Online shopping accounts: Protect usage of your stored credit card information!

Resources

Share these resources with end users or use them to inform your awareness strategy.

Video Resources

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).


Be an Avenger and protect yourself like a superhero!

Michigan Tech IT Fish mascot shows off Thanos' Infinity gauntlet glove

Don’t let Thanos wipe out half of your data or steal your identity. Arm yourself for the Endgame with the knowledge hidden in these online security Infinity Stones.