Need to know
- Quizzes and question posts on social media can give away important personal information
- Many of the responses you post give answers to accounts with a "secret question" password recovery system
- Hackers know all of this and can use the info against you
Are you giving away important personal information without realising it? It's alarmingly easy to do, and it can result in hackers gaining access to your accounts, stealing your identity and more.
Cyber-crims looking to put together a detailed profile on you often don't have to look very hard. Social media and online quizzes are hotspots for data gathering using various techniques. Some rely on inadequate privacy settings on your accounts, while others get you to freely offer seemingly-innocuous info in the name of fun.
Sensitive personal information doesn't just mean your name, phone number and bank account. Your pet's name, date of birth, where you grew up, your favourite movie and many other details can be used by hackers to access some of your accounts or impersonate you.
This can compromise multiple accounts (including your workplace's sensitive systems) and lead to identity theft, as well as a good old-fashioned clearing out of your bank account, among other things.
The information you unwittingly provide doesn't all have to be in the one place. Hackers can build a profile of you without much effort thanks to the wonders of modern search engines and social media. While this targeted approach doesn't cast nearly as wide a net as automated attacks, it can have a better success rate per target.
Seemingly harmless information becomes dangerous when it gives away your backup authentication. Have you ever set a "secret question" to answer in the event of a forgotten password? These questions are often things like the name of your first pet, where you grew up, where you got married, your mother's maiden name, and more. And this is what many hackers are after.
If your password is weak, such as your pet's name followed by a number, this is also a vulnerability. But this is easily fixed by creating a more secure password or using a password manager.
It's similar for over-the-phone authentication with banks and other sensitive accounts. Your date of birth and address are important factors in proving your identity. And if someone else has that info, they're one step closer to impersonating you.
You might give away information publicly all the time
Professional social media managers the world over know asking people easy questions or giving them simple tasks via public posts is a great way to increase user engagement – the holy grail of online marketing.
Most of the time these posts are from legitimate businesses or shared by people with no ill intent. Even so, they can be used by criminals to gather data from public replies and comments. But there's also nothing to stop hackers creating some themselves, then watching as they're shared across the web.
These questions and tasks range from the straightforward "Who was your first grade teacher?" and "Find your birth month flower" up to the sometimes-called "question game", which might ask a few potentially dangerous questions among a series of harmless ones.
Hashtags can also give you away. A quick search of "#firstcar" on Instagram yields more than 650,000 results, each accompanied by an image (and therefore make and model) of the car in question.
Just because a quiz topic is innocent, doesn't mean all the questions within it are, too.
Finally, there are online quizzes. If the quiz is made by a hacker, it could be on an innocent topic such as "Which Simpsons character are you?" with a handful of dangerous questions scattered throughout in the guise of figuring out if you're Maggie or Marge.
Some innocent but ill-advised quizzes get you to proudly announce your information, such as "Can we guess your exact birthday in 20 questions?" or "Can we guess your pet's name?" In the likely event they're wrong, you might post it to social media with your correction. Or publicly comment beneath the quiz's original post with your results.
Safeguard your social media
Set your social media accounts so only people you authorise can view your activity. If your profile is open for public consumption, not only can people use the information against you, they can create a believable cloned version of your account to bait and target your friends.
For some personal details, it's best to set them to private (only you can view them) or remove them. This keeps most of your information secret unless you accidentally add a hacker as a friend or get hacked yourself.
But you still have to take care. With even the most locked-down account, if you comment on a public post then it's there for everyone to see. The same goes if a friend publicly tags you in their own comment or if you comment on a friend's post but their profile is set to public, unbeknownst to you.
You can get a quick idea of how open your Facebook account is to the public. On a web browser, open Facebook and click your account name in the top left. On the new page, click on the three dots (…) underneath and to the right of your profile image, then select View as. This shows what unfriended people see when visiting your page.
If any of your posts or personal data is publicly visible, it's time to change that.
In the top right of the screen, click the Down arrow. Select Settings & privacy and then Privacy checkup. For this guide, we're concerned with the first and third options.
Click on Who can see what you share and check the settings next to each piece of information. For things like phone number, email address, birthday, and geographical information, it's a good idea to set these to "Only me" or delete them if possible. The same goes for your education, although your primary and secondary schools are probably the most important to hide, as these are common secret questions.
If you still want to get happy birthday messages from friends, you can include your day and month, but hide the year.
In How people can find you on Facebook, there's a setting labelled Who can send you friend requests? By default, it's "Everyone", which you might want to keep. But this also means fake accounts can send you friend requests.
To limit this, you might change it to Friends of friends. Just keep in mind you can still get requests from fake accounts if they've tricked just one friend of yours into accepting them.
In the bottom-right corner of your home screen, click on your account photo, then click the three horizontal bars, then Settings, followed by Privacy.
If you only want people you approve to see your photos, tick Private account. You can also stop people from sharing your posts.
Back in Settings, click Account then Personal information to see what information you've included in your bio.
A username is required, but there's other information such as phone number, gender and date of birth where you might have listed personal info.
It's OK to include broad information in your bio, but try not to be specific without good reason.
On the left-side of your home screen, click the three dots (…) then Settings and privacy and Privacy and safety.
You can set it so only people you follow can see your tweets via Audience and tagging (though for most people this negates the purpose of Twitter). In Discoverability and contacts, you can decide how people can find your Twitter profile.
Lastly, go back to the main feed and click on the profile icon (located above the three-dot settings icon), then Edit profile under your header image.
This is where you might have included sensitive info about yourself or your location. Double-check you're happy with what's there and remove your date of birth unless you have a good reason not to.