We all know someone willing to share everything on social media, including sensitive personal information they used as answers to security questions when setting up their accounts on various social networks.
This can include information on schools they’re attending, on schools they graduated from, pet names, favorite music or places to eat, and even their mother’s maiden name after tagging her in photos shared online.
However, as the FBI’s Charlotte office warned today, malicious actors take advantage of it as this type of information can be used to reset account passwords and take control of the accounts and the data stored within.
“The FBI Charlotte office is warning social media users to pay close attention to the information they share online,” the alert says. “A number of trending social media topics seem like fun games, but can reveal answers to very common password retrieval security questions.
“The FBI encourages you to be vigilant and carefully consider the possible negative impact of sharing too much personal information online.”
Enable MFA whenever available
The U.S. domestic intelligence and security service also advises checking your account’s security settings to make sure that attackers don’t have an upper hand and an easy way in when trying to gain control of your social media persona.
The FBI also recommended to always enable two-factor authentication (2FA) or multi-factor authentication (MFA) if possible.
“Multi-factor authentication is required by some providers, but is optional for others,” the agency said.
“If given the choice, take advantage of multi-factor authentication whenever possible, but especially when accessing your most sensitive personal data—to include your primary email account, and your financial and health records.”
Google and Microsoft also want you to toggle on MFA
Last year, Microsoft and Google both said that MFA is also the way to go if you don’t want your online profiles to get hacked following account compromise attacks.
“Ultimately, compromise via database extraction and cracking ends up being similar to guessing, phish, or replay – the attacker must try logging in with the compromised password, and at that point, MFA is your safeguard,” Microsoft Group Program Manager for Identity Security and Protection Alex Weinert said. “Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
“By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks,” Microsoft Security Senior Product Marketing Manager Melanie Maynes also explained last year. “With MFA, knowing or cracking the password won’t be enough to gain access.”
Google also said in a report revealing research on how effective basic account hygiene is at preventing hijacking that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks [..].”
Always use MFA even though it can be bypassed
However, although MFA can protect you in 99.9% of attacks targeting your online accounts, the FBI said in a private industry notification (PIN) issued in September 2019 that it has “observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.”
The agency shared several examples of how threat actors were able to bypass MFA between 2016 and 2019, including vulnerabilities in MFA-handling web apps, SIM swapping attacks, and a 2FA-circumvention toolkit comprised of the NecroBrowser and Muraena tools.
Nevertheless, as the agency also added, “[m]ulti-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.”
Defending against attacks attempting to circumvent MFA requires knowledge on how these attacks work and mitigation measures require admins to: