You know better than to share obvious sensitive information like Social Security number, or credit card numbers over social networks like Facebook or Twitter. What might not occur to you, however, is that even trivial, seemingly innocuous information like what year you graduated from high school, or what gym you work out at can potentially be used by attackers to compromise or steal your identity.
I wrote about the risks of “oversharing” on social networks in this blog post:
Consider for a minute what information you generally supply when setting up an account, getting a loan, or even ordering a pizza online. Vital information like your name, home address, email address, phone number, and maybe your birth date is commonly required. Now, think about how much of that information an attacker might be able to learn about you just from information you’ve made public on social networks. For businesses, if employees don’t understand social network security, it may expose the company to increased risk.
Most people are fairly careful about sharing sensitive information like bank account details or their Social Security number. Even little bits of benign information, however, may put an identity at risk—especially when those pieces of information are grouped together. Random bits of information about someone can be used to guess responses to security questions or bypass robust authentication mechanisms to socially engineer a site or service into resetting a password.
Aside from the information that might directly compromise a user’s identity, many people have also shared plenty of seemingly innocuous information that could be used to impersonate them or steal their identity. Many sites use authentication questions to validate that the person logging in is really who he claims to be, and the answers to those questions are generally the kind of information people willingly share with the general public on social networks.
The name of a pet; marital status; or participation in a Wednesday coed bowling league may not seem like confidential data, but it can all be used by an attacker. Armed with enough random trivia about one of your employees, an attacker may be able to socially engineer their way into your network and compromise sensitive data.
Click here to read the full post on the RSA Security blog: Poor Social Network Security Can Put Your Business at Risk.