Are Your Social Media Accounts Secure?

I broke into someone’s social media account today...with their permission. Part of my daily routine consists of addressing the concerns of both old and new clients questioning if their social media accounts are “secure enough”. While I am pretty happy to report that online security is becoming a more mainstream topic, and thus making my job a little harder, there are still many vulnerable accounts out there. After reading this short guide to protecting your social media accounts, hopefully yours won’t be one of them.

FUNDAMENTALS AND ASSUMPTIONS

Before we go any further, there are a few fundamental concepts that we should address in order to determine how to best secure our social media accounts:

Threat Model: Simply put, a threat model is a list of the most likely threats to your security objectives. Examples of this can range from nation state threat actors (governments) to a vindictive ex-lover. It is important to create a threat model because it is virtually impossible to protect yourself against all attacks. Threat modeling can help you narrow down the most effective strategies to protect against the most likely attackers. 

Despite the cursory explanation above, threat modeling can be multifaceted and intricate. For the purpose of this article, we will assume that our threat model is the common crypto/NFT scammer with limited resources and time to target a specific individual. 

Low-Hanging Fruit: A scammer looks at the world knowing that there are plenty of fish in the sea. But phishing takes time (*rimshot*). Unless the target is worth the extra effort, most scammers will go after the “low-hanging fruit” to increase the chances of success per attack. Examples of low-hanging fruit: Those who reuse the same password across multiple accounts and/or use a password that’s easily cracked, those who have a lot of their personal information easily found online, people new to crypto/NFT’s who haven’t taken the Boring Security 101 course, etc. Terabytes of publicly available breach data and simple python scripts can make the process of attacking low-hanging fruit much easier than many imagine. Your first line of defense is making sure that your accounts are NOT the low-hanging fruit. 

Attacker Mindset: Good people are easy victims because they don’t think like bad people. The attacker is always looking for a vulnerability; always looking for a way to manipulate or exploit something. In contrast, the defender is typically reacting to the attacker, not staying a step head. We want to strive for an offensive security [attacker] mindset that is proactive in securing our accounts. Reading this article is a step in that direction. 

Security vs Convenience: Security and convenience are mutually exclusive. Keep this in mind because many prefer making things easier without realizing what they sacrifice from a security perspective. If you are serious about securing your accounts, know that you may have to take a few extra steps and spend a little more time—but the security benefits will be well worth it. 

Security vs Privacy: Security and Privacy are often used interchangeably, but I want to emphasize that the steps taken to ensure your accounts are secure do NOT necessarily mean that you are being private. The latter is a conversation for another day; this article will only focus on account security. 

SECURING YOUR ACCOUNTS

In a perfect world, any social media account you’ve created would have been secure from the beginning—starting with ensuring the security of the device you used to set it up. I understand that is likely not the case for most readers (myself included). Therefore, let’s look at some of the things typically required when we set up accounts and what actions we can take to make them more secure right now:

Passwords
One of the easiest—and arguably most important—first steps to securing your account is ensuring that you have a secure password. However, with thousands of breached databases and millions of cracked passwords available to view online, we need to rethink what a “secure” password actually means today.

My rule of thumb is that if you can remember your password, it likely isn’t secure enough. This is especially true because if you can remember your password, it’s likely being recycled on other accounts. And if one of those accounts gets breached, that password will be used to attack others connected to you. You can easily check if one of your current passwords has been exposed by visiting https://haveibeenpwned.com/passwords

I recommend having a password with 40-80 random characters (depending on the platform’s character limits). While this might sound like overkill, it will certainly ensure that you aren’t low-hanging fruit in terms of password cracking. Best of all, it’s pretty easy to implement. 

To do this, I generally recommend KeePassXC—a free offline and open-source password manager. Not only can you use it to create a local encrypted database for your accounts and passwords, but it allows you to generate passwords that are virtually impossible to guess or crack. The image below shows an example of the password generation interface:

By having a unique password similar to the above on your accounts, you are already leagues ahead of other accounts in terms of security. 

Two-Factor Authentication
Even though a strong password similar to the one above is usually enough to prevent a breach, I always recommend to have multi-factor authentication (commonly two-factor authentication, or 2FA) enabled on your social media accounts when possible. Simply put, 2FA is a second layer of account protection that helps ensure the authenticity of the user attempting to enter the account. However, it’s important to note that not all 2FA methods are created equal! While many accounts allow for 2FA in the form of an SMS text message, and generally any 2FA is better than none at all, this is not ideal for security. Let’s take a look at how we can do better:

What’s the problem with SMS 2FA? SIM swapping. Hackers have been able to trick a victim’s cellular service provider into activating a SIM card that they have possession of. Once that occurs, they are able to intercept text messages intended for the real account owner—including SMS 2FA. While there are ways to mitigate this risk (such as using a Voice over IP, or “VOIP” phone number), it’s best to use either a software or hardware 2FA method if possible.

Software 2FA: These are programs such as Authy or Google Authentication that will continually generate a 2FA code on your mobile device. The benefits of using a software 2FA over SMS are that the code is generated on the app and is not susceptible to SIM swapping attacks, is usually much faster/convenient, and works internationally without concern for roaming or areas with limited mobile coverage. 

Hardware 2FA: Similar to how a hardware wallet is highly recommended for storing and trading crypto/NFT’s, a 2FA hardware token such as Yubikey or OnlyKey is recommended over software 2FA. These are small, physical devices that plug into your device and authenticates the user upon touching the device. Examples of a YubiKey are shown below:

Yubikey is compatible with Twitter, Gmail, O365, Coinbase, FTX, Kraken, Binance, etc

The benefit here is that nobody will be able to access your account without physically holding the hardware token. Unfortunately, this option is not available on all social media platforms yet. Best practices are to use a hardware 2FA when possible, otherwise use the more widely-available option of software 2FA.

IDENTIFIERS
Implementing the aforementioned recommendations already ensures you are not low-hanging fruit, and dramatically secures your account from the majority of threat actors. But some scammers don’t just stop with low-hanging fruit... 

The more authentic information about you that exists online, the easier it is for a scammer to exploit that and gain access to your account. The majority of scams in the crypto/NFT space are done through social engineering techniques—essentially tricking someone into doing something they otherwise wouldn’t do. For example, take the SIM swapping technique mentioned previously: in order to trick a cellular service provider into activating the SIM card the scammer owns, they have to pretend to be the victim—usually after gathering enough publicly available information from breach data and other open sources. 

Since we want to be proactive in our defense, let’s take a look at the fields social media platforms typically require that we can look at securing:

Phone Number: Nearly all social media services give the option for a phone number, or will require it at some point. As mentioned earlier, the plethora of breach data available means that it is highly likely that your phone number, tied to your real name, can be discovered by scammers and thus exploited. I usually recommend NEVER using your true cell phone number for anything; instead, consider using a unique phone number for social media accounts, preferably a VOIP number. 

Unlike cellular carrier-based phone numbers (issued by AT&T, Verizon, etc.) VOIP numbers work by using the internet to facilitate communications. The security benefits of a VOIP number is that they cannot be SIM swapped, and many VOIP programs allow you to create multiple phone numbers so you can compartmentalize ties to your true identity. Consider using a VOIP number when possible. 

Email: When it comes to securing your social media accounts, your email address is arguably the more important identifier and the biggest vulnerability. We use our emails for virtually everything, in many cases superseding the importance of a phone number. A quick search of your email address can show links to nearly every online account you’ve created with that email, allowing a hacker to gather a lot of information about you before attacking. 

Similar to the phone number, I generally recommend NOT using your main email address for social media services. If creating a separate email address for social media is too cumbersome, consider email providers or alternative services that allow you to create “alias” addresses. With an alias email, you can give out an email address that is different from your main address, but all messages will come into your main inbox. An example of this is with a service called 33mail and how they describe the process: Let's say a website bbqtrading.com asks for your email address. Just make up an alias like bbqtrading@you.33mail.com. Any emails they send to it will be forwarded immediately [to your main email address, without having to give that address out]. 

The added benefit to using an alias email address is that in the—likely—event that the social media service you use experiences a data breach, your true email address won’t be listed in the breached data. This is a proactive security approach that is well worth extra steps.

Security Questions:  Once upon a time, security questions sounded like a great idea; if you lost access to your account, you could answer a series of questions that only you would know the answers to and regain access again. The problem with security questions now is that with so much of our personal information publicly available, coupled with the things we readily share about ourselves on social media, it is very easy for scammers to find the answers to most security questions. Mother’s maiden name? A quick people search query can yield that in seconds. Pet’s name? A social media post about your pet is probably out there with the name visible in either the caption or comments. 

There is a simple solution to this problem: don’t give real answers for your security questions. I usually recommend creating an offline index of security questions with alternative answers. For example, instead of using your actual mother’s maiden name, consider using the name of a character in a book you read. Or perhaps come up with a phrase/sentence that would be unique to each security question. Just be sure to remember them and/or save a backup somewhere to refer back to if needed. Doing this will ensure that nobody will be able to guess your security questions and bypass all of the hard work done securing your accounts.

Tl;dr

In the world of crypto and NFT’s, we rely on social media more now than probably ever before. This makes our accounts dramatically more at risk of being attacked by scammers, and why it’s critical that we protect them to the best of our abilities. Since most scammers will target the low-hanging fruit, we can prevent the majority of attacks by:

1. Using a password manager to generate a ridiculously long random password for each account, making it virtually impossible to be guessed or cracked.

2. Using Two-Factor Authentication, preferably with a hardware token such as YubiKey. If hardware tokens aren’t an option, software 2FA like Authy or Google Authentication is preferable over an SMS option.

For other scammers with more time on their hands, they will try to exploit any publicly available information about their target in order to gain access into their accounts or trick a service provider into giving them access to it. We can defend against this threat by:

1. Not using our true phone numbers for any account that requires it. Use a unique VOIP number instead.

2. Not using our true email address for any account that requires it. Use a mail forwarding service like 33mail, or an email service that allows the creation of alias email addresses.

3. Not using true answers for any security questions that an account requires. Instead, create a list of fictional answers for these questions so that nobody else will be able to guess them.

These best practices will ensure that your accounts are protected against the majority of scammers we will see the crypto/NFT space. In keeping with the “offensive security” mindset I mentioned earlier, I’ll walk you through the attacker mindset of targeting and attempting to breach a social media account in a future article. Until then, review all of your accounts and make the appropriate changes to secure them. Stay safe out there!

Quick Footnote 

The explanations and recommendations mentioned were simplified and do not encompass every aspect of social media account security. This was also not intended to be a technical overview of all vulnerabilties known in regards to social media security. Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our Discord at https://discord.gg/boringsecurity