Whether you’re an average Internet user, or an IT pro who checks Twitter before getting out of bed and goes through several SSH sessions before the day is over, chances are you have a lot of social media accounts, and you use them to keep in contact with some pretty important people, such as friends, your family, co-workers, and more. These social media accounts are likely accessed on your own computer, and maybe also your tablet, smartphone, and so on. But how much care do you take to keep these secure?

Sure, it may be “just a Facebook account” but if that account is the only way you have to talk to family members on the other side of the country, that becomes very important. There are a lot of ways a social media account can be compromised, and not only your own, but possibly the accounts belonging to your business, or corporate partners, and if you were to lose control of them, things can get really messy. Let’s see some of the things that can go wrong and how you can protect yourself on each of the popular social networks.

Staying safe on Facebook

Facebook is definitively the most popular social network in the world with around a billion users. It also offers all kinds of features, from your own personal wall, to games, messaging, email and more. As such, it’s no surprise that Facebook accounts are something hackers target on a regular basis. In fact, these accounts are compromised so often that on underground Russian hacker forums, the rate they get sold for is around $2. That’s how much your Facebook account, your past life on the social network, and all your connections, would be worth to a bad guy on the other side of the world. There are many trivial ways for these crooks to compromise a Facebook account, and that’s why you need to take some steps to make sure they won’t get yours.

Some of the ways hackers use to take over Facebook accounts include phishing emails, trying to trick you to log in through a fake Facebook portal, and malware. There are dozens of viruses spreading throughout the net on a constant basis that do nothing but look for unpatched computers, and then take over the social media accounts you log into. This could mean your own account, but for many professionals, it’s often more than one.

If you run your own business, or handle the corporate accounts of the place you work at, you may well be logging into more than one account, and if your computer gets compromised, then all of the accounts could be in danger. Worse, Facebook makes it fairly tricky to gain access back. The way this site works is that if you try to gain access to a compromised account, it will ask you to identify some of your friends. If you have just a few dozens close friends, that may not be too hard. But the truth for many of us is that we often befriend people we don’t know that well, and being shown their current profile picture would not be all that helpful to recognize their name. So it’s best if you can avoid having to go through account recovery altogether.

Thankfully, Facebook offers some features that can be useful to make sure your account is safe. First, the site has geo-ip monitoring software. This means that if you try to log in from a remote location, like say Eastern Europe, the site will detect it and ask additional questions, sometimes even sending you an email. This brings us to a key security feature everyone should know for both Facebook and all other online accounts.

In almost every case, the one most vulnerable part of the whole account login process is the email you use. Everything is tied to that one email address, including what you type in when you log in, and what is used if you try to reset your password or to recover your account. But for most people, their email address is well known. So the first thing to do is sign up with a second, hidden email. Use an address that no one knows about to log into these services, or associate it as a hidden email in the Facebook settings, something you can easily do. That way, if someone tries to log in as you, they will need to know what that secret address is.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Another feature few people know about is two-factor authentication. Facebook offers a second authentication feature called Login Approvals which is the same thing as Google’s authenticator or PayPal’s token. You can enable it in the security options, and then use the Facebook mobile app on an Android or iOS device to generate a code every time you log in from a new computer. By using these two tricks, you can reduce the chance that your Facebook account will be compromised by a lot.

Twitter risks

Twitter is probably the second most popular social network out there, and as such it should be kept secure. Unlike Facebook, Twitter offers few features, and that includes on the security front as well. Also, Twitter is something you likely use on a lot of devices, and give access to several apps. If any of these apps is malicious, it could start posting as you, deleting past posts, or even compromise your whole account, depending on how it has access to your Twitter account. While your Twitter presence may not be as important as Facebook, and you don’t have years of photos stored on their servers, getting a large Twitter following can be costly and time consuming, and as such you may want to make sure your account is secure.

The first thing you should do is make sure the email you associate is also a hidden address, just like for Facebook. Then, go to the Twitter settings on the web site, and check out which apps have access to your account. Twitter, just like Facebook, has a list of apps to which you have granted permission. You should never give your Twitter password to another app or device. You should always make sure they use Twitter’s OAuth API, which is what happens when the app opens a small window from Twitter which asks you if you want to grant them permission. That way, the app will appear on this page, and you can revoke access at any time.

One more thing you may want to think about for all social media, but especially Twitter, is whether or not you want to use geotagging. On Twitter, the default option when you tweet a photo from a mobile device is to tell the world where you are. Because tweets are open to the public by default, that means anyone can scan the site to find people close by, and then this could in turn put your personal safety at risk. There are scripts out there that scan Twitter for key phrases like “left home or “gone to the gym” along with geotagging information. It may seem paranoid, but these things exist, and could be a gem for thieves looking for empty houses.

Google Plus, and your Google account

Google Plus is the least popular social network, but in a way it may also be your most important account, because that same Google account can be used for so many services. If you use Gmail, Google Docs, Google Reader, Google Plus, and so on, those are a lot of different services you can gain access to with a single user name and password. Here, assuming you use Gmail as your primary contact address, there’s no way to keep your user name hidden, so everything rests on your password, and so it’s key to use a strong password. Your email account, in many ways, is the most important online account out there, because it serves as recovery for all your other accounts.

Fortunately, Google has several features that can help. The first one is two-factor authentication. Google provides an authenticator app on Android and iOS that you can use to login. Of course, this may be annoying if you use many Google services on many devices, but it’s definitely an added security. Also, Google will periodically ask you to confirm a secondary email and phone number. It’s important to add those as well because they can be used in case you lose access to your account. Finally, in the security settings of your Google account, there’s an option that says Always use HTTPS. This forces Google to always revert to a secure connection when you access Gmail or other Google accounts. This keeps the information going from your system to the site secure.

In the end, it’s not hard to keep your online accounts safe, all you need is to make sure you keep your own system up to date, because if you get infected, nothing will protect you, and then make sure you turn on the various security features that these sites offer. With that, you should be fairly certain that hackers would have a very hard time getting into any of these accounts.