Baukes says this creates an easy target, especially as users forget which sites they’ve approved as capable of releasing information, posting on their behalf, and connecting to other services. A hacker might not be able to break into a Twitter account, but he or she might be more successful with a dashboard that stores your authentication data in a less secure portal.
Another simple attack is so common it’s likely already happened to many employees. A hacker uses the employee picture from a social media and sends a phishing message. Because you see your own photo, you naturally click. Joseph Carson, the head of Global Strategic Alliances at Thycotic, a secure account management company, says clicking on the email leads the user to a site where they grant access to their login (usually through a fake “password reset”).
What to do
Baukes was quick to point out that most of the top tier social media services like Facebook and Twitter offer two-factor authentication, so employees should be instructed on how to enable and use those features. Next to that, employees also need to be extremely careful about handing out the credentials to any third-party sites. It creates a security nightmare of shared logins.
Maynor says it is important to understand how hacked social media data is used. In the selfie scan example, advertisers might use extracted data such as location and gender for advertising purposes. Employees need to understand that social media information can reveal a treasure trove of data about a company that can be used by hackers for nefarious purposes.
Nathan Wenzler, the principal security architect at AsTech Consulting, says users should be instructed in how to watch for unusual changes to their social media activity. For example, if you normally use Facebook and the service never logs you out, then suddenly starts logging you out for no reason, it could be due to a compromise -- users need to report this change.
Neill Feather, the president of website security company SiteLock and a board member at the Online Trust Alliance, reiterated the concern over third party sites like Tweetdeck or HootSuite. Too often, employees use strong passwords for the main social media site but weak passwords for the dashboards, which is a mistake. Another best practice: Never accept friend requests from people you don’t know. He says, Facebook estimates that at least 2 percent of user accounts are fake. Twitter has reported that at least 5 percent of user accounts are fake, he says.
The temptation is to see social media as an open portal for hacking, and there is some legitimacy to that claim. Trolls, hackers, and posers are crawling all over these sites. Yet, they provide real business value and are not going away anytime soon. All of the experts agreed: Training is key. Users should know how easy it is to fall victim to a simple social media hack.
Sign up for Computerworld eNewsletters.