The FBI is warning social media users to pay close attention to the information they share online. A number of trending social media topics seem like fun games, but can reveal answers to very common password retrieval security questions. Fraudsters can leverage this personal information to reset account passwords and gain access to once-protected data and accounts.
The high school support photo trend encourages users to share their high school photo to support the class of 2020. Many people are including the name of their schools and mascots, and their graduation years. All three are answers to common password retrieval security questions.
Other examples include posting a picture of your first car; answering questions about your best friend; providing the name of your first pet; identifying your first concert, favorite restaurant, or favorite teacher; and tagging your mother, which may reveal her maiden name.
The FBI encourages you to be vigilant and carefully consider the possible negative impact of sharing too much personal information online. Check your security settings to ensure they are set to the appropriate levels and enable two-factor or multi-factor authentication when available. Authentication is a process that requires you to prove who you are in more than one way while accessing an account.
There are three categories of credentials: something you know; something you have; and something you are.
- “Something you know” is your password or a set PIN you use to access an account. The PIN does not typically change.
- “Something you have” is a security token or app that provides a randomly generated number that rotates frequently. The token provider confirms that you—and only you—know that number. “Something you have” can include verification texts, emails, or calls that you must respond to before accessing an account.
- “Something you are” includes fingerprints, facial recognition, or voice recognition. This category of credentialing sounds a bit unnerving—but think about how you unlocked your smart phone this morning. You probably have used your fingerprints or face several times today just to check your email.
Multi-factor authentication is required by some providers, but is optional for others. If given the choice, take advantage of multi-factor authentication whenever possible, but especially when accessing your most sensitive personal data—to include your primary email account, and your financial and health records.