FBI says that sharing personal info online only helps scammers

We all know someone willing to share everything on social media, including sensitive personal information they used as answers to security questions when setting up their accounts on various social networks.

This can include information on schools they’re attending, on schools they graduated from, pet names, favorite music or places to eat, and even their mother’s maiden name after tagging her in photos shared online.

However, as the FBI’s Charlotte office warned today, malicious actors take advantage of it as this type of information can be used to reset account passwords and take control of the accounts and the data stored within.

“The FBI Charlotte office is warning social media users to pay close attention to the information they share online,” the alert says. “A number of trending social media topics seem like fun games, but can reveal answers to very common password retrieval security questions. 

“The FBI encourages you to be vigilant and carefully consider the possible negative impact of sharing too much personal information online.”

Enable MFA whenever available

The U.S. domestic intelligence and security service also advises checking your account’s security settings to make sure that attackers don’t have an upper hand and an easy way in when trying to gain control of your social media persona.

The FBI also recommended to always enable two-factor authentication (2FA) or multi-factor authentication (MFA) if possible.

“Multi-factor authentication is required by some providers, but is optional for others,” the agency said.

“If given the choice, take advantage of multi-factor authentication whenever possible, but especially when accessing your most sensitive personal data—to include your primary email account, and your financial and health records.”

Google and Microsoft also want you to toggle on MFA

Last year, Microsoft and Google both said that MFA is also the way to go if you don’t want your online profiles to get hacked following account compromise attacks.

“Ultimately, compromise via database extraction and cracking ends up being similar to guessing, phish, or replay – the attacker must try logging in with the compromised password, and at that point, MFA is your safeguard,” Microsoft Group Program Manager for Identity Security and Protection Alex Weinert said. “Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

“By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks,” Microsoft Security Senior Product Marketing Manager Melanie Maynes also explained last year. “With MFA, knowing or cracking the password won’t be enough to gain access.”

Google also said in a report revealing research on how effective basic account hygiene is at preventing hijacking that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks [..].”

Always use MFA even though it can be bypassed

However, although MFA can protect you in 99.9% of attacks targeting your online accounts, the FBI said in a private industry notification (PIN) issued in September 2019 that it has “observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.”

The agency shared several examples of how threat actors were able to bypass MFA between 2016 and 2019, including vulnerabilities in MFA-handling web apps, SIM swapping attacks, and a 2FA-circumvention toolkit comprised of the NecroBrowser and Muraena tools.

Nevertheless, as the agency also added, “[m]ulti-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.”

Defending against attacks attempting to circumvent MFA requires knowledge on how these attacks work and mitigation measures require admins to:

• Educate users and administrators to identify social engineering trickery—how to recognize fake websites, not click on rogue links in e-mail, or block those links entirely—and teach them how to handle common social engineering tactics.
• Consider using additional or more complex forms of multi-factor authentication for users and administrators such as biometrics or behavioral authentication methods, though this may add inconvenience to these users.


Next Post

Sword-wielding scientists show how ancient fighting techniques spread across Bronze Age Europe | Science

Tue Apr 21 , 2020
By Andrew CurryApr. 17, 2020 , 1:35 PM Bronze swords have been found by the thousands in graves, rivers, and bogs all across Europe. But because the alloy is so soft—and easy to mangle compared with later iron weapons—historians have long wondered whether these swords were battlefield tools or mere […]