How your identity can be stolen using social media (and how to prevent it)
Published by on April 8, 2017 in Information Security

angler fish mask wearing it
Humor me for a moment as I describe a hypothetical series of events.

You are on Facebook during a break at work. A quiz posted by a friend appears in your timeline: “Which Mad Max character are you?” Bored and slightly intrigued, you click on it. After a few innocuous questions, the quiz pins you as a true Furiosa. Sweet. The friend that originally posted it got Immortan Joe, and you want to rub it in his face. To post it on your timeline, you must authenticate your Facebook account. The permissions are straightforward: the quiz website gets access to your timeline, public profile, and friend list. You grant the permissions, tag your friend in the post, and you get double-digit Likes. Social media success.

The next day, you receive an email from Spotify. Your premium account will expire soon. You click the link that takes you to a Spotify payment page. Most of your billing information has already been filled out from the last time you renewed. You just enter your card security code and expiration date.

A couple weeks later, you receive a friend request. You can’t recall if you’ve actually met this person in real life, but you have over a dozen mutual friends and you don’t want to be rude. She seems to check out. You agree to be Facebook friends as you have over 600 times before.

A month later, you’re packing for a weekend trip out of town. Your roommate, who will be traveling with you, posts an enthusiastic update about your upcoming trip on Facebook. During the trip, you post a selfie on Instagram of you and your friends in front of a beautiful vista.

A couple days later, you get an exciting message on LinkedIn. The founder of a cool new startup from a nearby city has approached you to see if you’re available for some freelance work. Over the next week, you correspond with her through email and LinkedIn messages discussing the work and payment. You fill out and sign a tax form, bank deposit authorization form, and contract.

A couple more weeks pass. You receive an invitation to try out a new website that lists cool, under-the-radar events like concerts and gallery openings in your city. The invitation came from that friend you added awhile ago. She’s apparently doing PR for the new site. You decide to check it out. It requires a Facebook login so the website can verify your location.

And then…

At a cafe, your credit card has been rejected, so you have to pay cash. You call the bank when you get home, and it turns out your last statement contains about a dozen charges you didn’t make, totaling almost $2,000. Not only that, you start receiving bills from accounts you never opened, and your bank account is showing withdrawals you don’t remember making. You notice an increase in spam in your email inbox. The worst part comes when a friend of yours call and asks about the money. He apparently lent you several hundred dollars through PayPal so you could pay rent. The email he sent you has your name in it, but it’s not your email.

You’re now a victim of identity theft.

Quiz time

So where did you go wrong?

Identity theft can be an extremely difficult crime to trace. Any of the actions above, if done carelessly, could have been the spark that caught a thief’s eye. The Mad Max quiz could have been a front to gather personal information on you and your friends on Facebook. The maybe-stranger you added as a friend might have procured that information and befriended everyone that took it. If a lot of your friends took the same quiz, that would explain the high number of mutual friends. He then sent you an invitation to a phony website. You probably use the same password for Facebook as some of your other accounts. Did you type in your Facebook password on that site?

Or was it that email from Spotify? Was that link real? Spotify posts updates about what I’m listening to on Facebook. A thief could determine when I first subscribed and when I would have to renew. You’ve since deleted the email. Were those actually the last four digits on your credit card?

What about that startup? The founder sends an email informing you that the job has been delayed indefinitely because the company is running out of funding, but he would let you know when it continues. You already gave him a lot of private information, including details about your bank accounts. The startup has a website, but is it even legitimate?

Your roommate posted about your trip on Facebook. People knew you weren’t home that weekend. A thief could have broke in and found your personal documents–social security card, old tax forms, lease contract, etc. Your roommate’s post could have been geo-tagged, which is how they knew where you lived. Nothing was missing when you came back, but was anything out of place? Geez, that was over a month ago.

ID theft prevention

Social media is a haven for a specific type of hacker, a relatively new breed in the online realm called a social hacker. Wikipedia defines social hacking as the “act of attempting to manipulate outcomes of social behavior through orchestrated actions.” It’s a component of a larger area in psychology dubbed social engineering.

Social hackers prey on the consent of the careless. They bait victims into making mistakes, gaining access by impersonating an authority (Spotify payments, potential employer) and/or someone who is known to the victims (Facebook friend). It takes a significant amount of research to give victims a feeling of familiarity, so much so that they often can’t identify a particular action that led to identity theft, even in retrospect.

Vigilance is the key to preventing identity theft through social hacking. Here are some precautions you can take to make sure it doesn’t happen to you.

  • Ask mutual friends if they actually know a person before adding them on Facebook.
  • Don’t log in with Facebook or other social media accounts on external websites unless you trust the source.
  • Don’t click on links in emails; navigate to websites through bookmarks or Google search.
  • Always check that HTTPS certificates are trusted and belong to the appropriate entity.
  • Don’t post status updates to Facebook detailing your whereabouts or upcoming trips.
  • Verify the legitimacy of any jobs you apply to if you don’t recognize the employer.
  • Don’t type your social media passwords in anywhere other than the official sites.
  • Don’t post geo-tagged photos or status updates until you’ve returned from trips.
  • Use strong passwords and don’t use the same one twice. If you are still unsure if your password is good enough use a password strength checker.
  • Change your birth date by a year or two to throw off ID thieves.
  • Always uncheck as many app permissions as possible when using social media authorization.
  • Type in fake answers to password verification questions like “What’s your mother’s maiden name?”
  • Remove old unused apps from your social media accounts.

Social media companies benefit from collecting and selling as much personal data about you as possible, so you can’t depend on them for protection. Most of this data is used for targeted advertising, but in the wrong hands that data builds a foundation for identity theft.

The number of identity theft cases is on the rise. In the US alone, the Bureau of Justice Statistics estimated 7 percent of US citizens were victims of identity theft in 2012, the most recent year such a report was published. That’s more than 16 million cases, most of which involved the use of existing bank accounts or credit cards to make fraudulent purchases, withdrawals, or transfers. If you still worried you could sign-up for one of the growing number of identity theft protection services.

See also: What to do if your identity is stolen.

Angler Fish Mask: wearing it” by Helder da Rocha licensed under CC BY-SA 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *