How to enhance the security of your social media accounts

TL;DR 

• Strong passwords: Use a password manager.
• Multi-factor authentication (MFA): MFA requires multiple forms of identification, adding an extra layer of security. This makes it harder for unauthorised users to gain access even if they have your password.
• Phishing awareness: Stay alert to phishing attempts by scrutinising emails and messages that request personal information or direct you to suspicious websites.
• Secure networks: Avoid using untrusted public Wi-Fi to access social media accounts, instead, use mobile data. If you have to use a trusted VPN then use that, but be aware a VPN doesn’t make your connection secure it just moves the threat to the VPN provider.
• Managing active sessions: Regularly monitor and manage where you’re logged in and set up alerts for new logins from unrecognised devices to prevent unauthorised access.

Introduction 

Securing social media accounts requires a comprehensive approach that includes using strong passwords, leveraging built-in security settings, being alert to phishing attempts, managing digital footprints wisely, and using secure networks. This guide outlines the steps you should take to help protect your social media profiles against common threats.  

How to properly implement strong passwords 

There are lots of guides online about how to set good passwords, however, fundamentally the best advise is to use a password manager, such as Bitwarden, 1Password, KeePass among others. These systems store your passwords in a single encrypted vault. Don’t use browser-based password mangers though because there are significant differences between browser-based password managers and dedicated solutions like 1Password.

While browser password managers provide convenience and basic functionality, they lack the advanced features, cross-platform compatibility, and robust security measures that dedicated password managers offer. For example, 1Password not only securely stores passwords but also helps protect against phishing, and supports secure sharing of sensitive information. 

Another benefit of a password manager is when you register or change your password for a website you can get the password manager to generate a strong, random password that is totally different to any other password you use. This avoids one of the easiest ways attackers get access to your account – you reusing passwords across multiple websites. Once you have a database set up correctly the systems will, in most cases, autofill your passwords when logging in so you don’t need to type them.  

But protecting your password manager is a password… so what do you set your password manager password to? 

The National Cyber Security Centre’s (NCSC) advise to use three random words, we have thoroughly shown how that advice is pants. The best advice right now is actually to use at least four, but make sure you use special characters and numbers to make the password better.

A good password is a long and strong, for your password manager you need to be thinking 20-30 characters at least. That can be tedious to come up with, so consider using a phrase. The whysettle passphrase generator is useful here.

What do you do if you forget it? Cry. So don’t forget it.

Here is some advice you typically won’t hear… write it down until you remember it, store it in a safe at home or with your solicitor. This can also help should something happen to you and family members need to access your password manager. Don’t save it on your phone for obvious reasons.

You absolutely should secure your password manager with Multi-Factor Authentication (MFA).

Multi-Factor authentication (MFA). Why do I need it? 

MFA significantly enhances the security of your password manager and also your social media accounts by adding an additional verification step. This extra layer of security makes it more difficult for unauthorised users to gain access, even if they have obtained your password. Let’s break down how MFA works and why it’s more secure:  

Understanding MFA 

MFA is a process that requires two or more things to authenticate you. These are typically categorised into three types:  

• Something you know: This could be a password, a PIN (Personal Identification Number), or answers to security questions. It’s a form of verification that relies on information only the user should know. 
• Something you have: This includes items that are physically in your possession, such as a smartphone, a security token, or a hardware key (like a YubiKey). The idea is that you need to have this physical item with you to access your account. 
• Something you are: This form involves biometrics, such as fingerprint scans, facial recognition, or even retina scans. These identifiers are unique to each individual and extremely difficult to replicate or steal. 

Why authentication apps are safer than SMS codes  

Authentication Apps like Google Authenticator, Duo Mobile, or Microsoft Authenticator generate time-limited codes that are used as a second factor in MFA. These codes refresh every 30 seconds or so, ensuring that each code is only valid for a brief period. The significant advantages of these apps include:  

• No cellular service needed: These apps don’t rely on SMS texts, so they can generate codes even in areas without cellular reception, as long as the device has power. 
• Resilience to SIM swap attacks: Unlike SMS-based MFA, authentication apps are not vulnerable to SIM swap fraud, where an attacker convinces your mobile carrier to switch your phone number to a new SIM card, effectively capturing any texts sent to your number.

The risks of SMS-based MFA and why it is less secure  

Using SMS for 2FA involves sending a code via text message to your mobile phone, which you then enter on the website or app to gain access. While still better than no MFA, SMS-based verification has vulnerabilities:  

• SIM swap scams: As mentioned, if someone can transfer your phone number to their SIM card, they can intercept your MFA codes.
• Interception: sophisticated attackers can potentially intercept SMS messages using techniques like SS7 signalling protocol weaknesses. 

A widely publicised example of a SIM swap attack is the hacking of Jack Dorsey’s Twitter account in 2019. This attack allowed hackers to post offensive messages by taking control of Dorsey’s phone number through social engineering techniques, highlighting the limitations of SMS-based MFA.  

Implementing MFA on social media accounts  

To set up MFA on most social media platforms, you typically go to your account profile’s settings or security section. You can select “Multi-Factor Authentication” or a similarly named option (commonly this will appear as two-factor authentication… I won’t bore you here as to why that is wrong!). The platform will guide you through the setup process, where you can choose between SMS codes or an authentication app. Some platforms now also support hardware tokens*.  

By understanding and implementing these advanced security measures, you can significantly enhance the safety of your social media interactions and protect your personal information from unauthorised access.  

*Hardware tokens such as FIDO2 and U2F are seen as the gold standard with a complex cryptographic process used to prove that you are authorised to provide your authentication through an additional challenge – such as pushing a button a physical fob or passing some biometric challenge. Not all websites support this and it typically requires carrying a physical fob, which makes it more challenging to use everywhere. 

Using built-in security features

Managing active sessions  

Most platforms provide the option to view and manage active sessions. This means you can see where and on which devices your account is currently logged in. Regularly checking and removing unfamiliar sessions can help prevent unauthorised access. Additionally, setting up alerts for new logins from unrecognised devices provides immediate notifications of potential intrusions. Additionally, cleaning up old online accounts enhances security and helps safeguard your privacy.

Every online account holds personal information, and old accounts can be risky. They might be vulnerable to data breaches, exposing your sensitive data. These accounts also contribute to digital clutter, making it harder to manage your online presence securely. Therefore, removing old accounts enhances security by closing potential hacker entry points, improves privacy by reducing available personal data, and simplifies your online presence. JustDeleteMe streamlines this process by offering direct links to account deletion pages, making it easier to remove outdated accounts. 

Identifying phishing attempts  

Phishing is a common technique used by attackers to gain access to personal accounts. It’s important to be cautious when engaging on social media, email or message because not everyone is who they claim to be. This method involves fake emails or messages through SMS or social media sites that mimic legitimate sources to trick you into providing sensitive information. For example: 

Fake Instagram login alert

• Scenario: You receive an email with the subject line “Urgent: Unauthorized Access Detected!” The email claims to be from Instagram support and states that there was an unusual login attempt from a new device in another country. It urges you to secure your account by clicking on a provided link.
• Red flag: The email address is support@instagrarn-help.com, which is a slight misspelling of the official domain.
• Fake action: The link redirects to a convincing but fake Instagram login page where you’re prompted to enter your username and password

Facebook account verification scam

• Scenario: A pop-up notification appears while you’re browsing the web, claiming it’s from Facebook. It says your account will be disabled unless you verify your identity within 24 hours. There’s a “Verify Now” button.
• Red flag: The pop-up appeared while you were not on Facebook, and the URL in the address bar has nothing to do with Facebook’s official website.
• Fake action: Clicking “Verify Now” leads to a page asking for your Facebook login details along with your date of birth and phone number.

Twitter promotional offer scam

• Scenario: You receive a direct message on Twitter from a follower who isn’t usually very active. The message enthuses about a free iPhone giveaway exclusively for Twitter users. It includes a link to enter the contest.
• Red flag: The message uses overly enthusiastic and urgent language, pushing you to act quickly.
• Fake action: The link opens a page that looks like a Twitter login screen, asking you to log in to continue to the contest entry form.

Always verify the authenticity of messages, especially those that request immediate action or personal information. This can be done over the phone or by confirming the authenticity in person. Look for tell-tale signs of phishing, such as poor grammar, urgent language, or suspicious sender addresses. There are lots of good guides out there to help you become more aware of phishing attempts like the one from  

How your digital footprint can increase phishing risk 

Your digital footprint, which includes all the information you post online such as photos and status updates, can be used by criminals. They might use this information to impersonate you or craft more convincing phishing schemes. 

• Tailored attacks: Cybercriminals can use the information you post online to craft phishing emails or messages that are highly personalized and convincing. For example, if you frequently share details about your workplace or personal life, attackers can use this information to create phishing messages that appear to come from a trusted colleague or friend.
• Profile matching: By analysing your social media profiles, attackers can gather information that helps them mimic the tone and style of messages you would expect from a known contact or a trusted organization. This makes phishing attempts more believable and harder to detect.
• Informed deceptions: Detailed knowledge about your personal interests or recent activities can be used to design phishing attacks that seem more relevant and pressing. For example, if you frequently post about a particular hobby or event, an attacker might craft a phishing email that appears to be related to that interest, increasing the likelihood that you will engage with it.

Ideally it would be best to have as minimal social presences as possible to reduce this risk, however in reality social media is used to share information about yourself or your brand to friends, family, or a wider audience, but it is important to minimize the exposure. Here are some steps you can take: 

• Consider carefully what you post online and who can see it. Make sure your privacy settings are adjusted so that only your intended audience has access.
• Evaluate what information is necessary for your followers to know and what might be excessive and potentially useful to criminals.
• Be aware of what is being said about you online by your friends, colleagues, and other contacts.

The CPNI’s Digital Footprint Campaign, although designed for businesses, offers valuable resources such as posters and booklets that provide insights into managing your online presence effectively. 

Using secure networks

Risks of public Wi-Fi  

Accessing social media accounts over public Wi-Fi networks can expose you to eavesdropping by attackers who can intercept unencrypted data. Though in reality, its not always practical and the likelihood of this happening is limited. However, that’s not to say it is not a risk to consider. This can be partially mitigated by avoiding public Wi-Fi and using your mobile data. 

Benefits of using a VPN  

A Virtual Private Network (VPN) provides a secure connection over the internet by encrypting all data you send and receive. Using a VPN when accessing your social media accounts, especially on public or unsecured networks, adds an additional layer of security that protects your data from being intercepted by unauthorised third parties. However, and this is a big however, how well do you trust you VPN provider?

Many of the VPNs that are advertised such as ExpressVPN, NordVPN and SurfShark don’t offer many improvements and using a VPN for security requires you to implicitly trust your provider. This is simply because you move the threat from the dodgy Wi-Fi to the VPN provider – they can just as easily snoop on your data. If you however have a trusted VPN service such as your corporate VPN service, then do use that. If you are technically minded you could set your own up. There are lots of online guides. 

Conclusion  

Securing your social media accounts is more critical than ever. By implementing strong, randomly generated passwords from a secure password manager, employing multi-factor authentication, staying vigilant against phishing attacks, and using secure networks, you significantly reduce the risk of unauthorised access. Regularly updating your passwords and avoiding reuse across platforms further solidifies your defence against cyber threats.