Overview 

There are many ways for malicious parties to gain access to your Facebook account, shattering that illusion of control and privacy we all value so much. The majority of which involve the hacker conducting their operations over the internet, meaning you may never see or hear your adversary in person. But more commonly used on a day-to-day and mass scale is social engineering. This entails the use of social manipulation to achieve a goal such as gaining access to your Facebook account. This could be done in person, such as someone pretending to help you with your cell phone at a coffee shop, someone phoning you and pretending to be a technician luring you into trusting them with personal information, or through other attacks falling under the general blanket term ‘phishing’.

Phishing and Spear-Phishing 

Phishing is by far the most encountered form of hacking in day-to-day life for the average person. And chances are, you’ve encountered at least one phishing attempt before. Phishing attacks can be executed in a plethora of ways. From attacks en masse to focused attacks targeting specific victims, known as spear-phishing. The stereotypical phishing attack is the fake email. It normally follows along the lines of something like “Your Facebook has been signed into by an unknown party. Use this link to sign in and take action.”. At first glance, one might wonder who would fall for something like this but this example tends to compromise only the less weary members of online society. Attacks can in fact be extremely well disguised and designed leaving us all vulnerable. In the event an attacker is executing a spear-phishing attack, the content of the email, or other forms of attack, would be tailored to you as an induvial. Preying on your tendency to trust an email that appears to be from your medical aid or a family member. In this case, however, phishing attempts targeting Facebook accounts tend to be conducted on a massive scale and seldom target individual users.

Keyloggers

Another way accounts can be compromised is by using keyloggers. This is a form of malicious software that is installed on a victim’s computer and then records all of the keystrokes made by the user. Including usernames and passwords to various websites, you might visit and sign into. This is an extremely dangerous and easy-to-use form of attack but luckily can generally be prevented by using any decent anti-virus software.

 

On the Matter of Passwords

Creating Them

I’m sure everyone has heard of the necessity to use strong passwords by now, some sites even force a new user to create a strong password. You should be doing this everywhere. Avoiding simple and/or generic passwords drastically increases security as the password becomes immeasurably harder to crack. The easiest way to create a strong password is to include both lowercase and uppercase characters, numbers, and special characters such as underscores and currency symbols. By doing this you increase your password security exponentially.

Secondly, it is incredibly beneficial to use different passwords across your various accounts. Should an attacker gain the login information for one account they will often test that username and password for other accounts you own as many recycle usernames and passwords. By avoiding this, you avoid a critical point of weakness and form something akin to an airlock where in the event of one account being compromised you can be sure that others are likely to remain safe from being compromised via a connection.

Storing Them

Storing your passwords and usernames in your browser’s password manager is asking for trouble. Should an attacker gain access to your password manager they gain access to any account credentials you have stored in there. If you truly are unable to remember all your passwords then it’s best to use a third party, but a trusted one, that stores your credentials in an encrypted vault.

2-Factor Authentication

One of the best and easiest ways to increase your accounts’ security is using 2-Factor Authentication. In essence, this means that access to an account or website is only granted once 2 pieces of evidence are presented. The most common method of achieving this is by first entering a password and then entering an OTP (One Time Pin) that is sent to your cell phone or email address at the time of the login. What this means is that even if an attacker gains knowledge of your password and username they would still need access to your phone or email address at the precise moment they attempt to login in as you. And should they attempt to log in you will receive the OTP thus being notified that an unauthorized attempt to log in has been made allowing you to act before any damage has been done. It is a simple and easy-to-use service and is almost always bundled in with important services such as your Google Account, Microsoft services, Banking Sites, etc. It generally takes less than a minute to put into place yet drastically improves security, you should definitely be using this!

Hijacking Cookies

Connecting to public networks such as a coffee shop’s Wi-Fi is more dangerous than one might think. When sharing a network such as this with many other users you are at risk of your information being intercepted and stolen. This is can be done by another user stealing or “hijacking” your cookies in order to gain access to your web session remotely, essentially stealing your access to a website. You can think of it as pickpocketing a digital key card. The result is that the attacker can masquerade as you for the rest of your session and you won’t even know it unless they allow you to. The best way to avoid this is simply to not use poorly secured public networks or networks you don’t trust. In the event you do, make sure to use a service such as a VPN to encrypt your traffic and keep your cookies safe.

 

The Role of Email

An email account such as your personal Gmail is often considered a point of critical failure as email accounts such as this are generally connected to your social media accounts as verification and recovery tools. What this means, is that should a hacker gain access to your email via phishing, social engineering, or any other method they can use your email to reset your Facebook password to one of their choosing and subsequently lock you out while maintaining their own access. They will probably also try to lock you out of your email account and by snooping through your emails they can see what other accounts are connected to the address and gain access to those too. Therefore, it is incredibly important to exercise extreme vigilance when guarding one’s email account. Incorporate all the information discussed here to create a strong unique password that isn’t stored locally, and remember to always use two-factor authentication if you can!

Conclusion

The CSI team hopes you find this information useful in your endeavors to remain secure in this age of online anarchy. Remember to exercise vigilance when dealing with the internet and all things related to it. In cybersecurity, for every problem, a solution can be found. You just need to look for it. However, perhaps you have found this blog slightly late and your account is already compromised. Stay tuned for our next post for a step-by-step guide on what to do in the event your Facebook account is hacked!

Contact the Cyber Security Institute 

Email: csi@cybersecurityinstitute.co.za

Contact number: 0873520466

Author: Adam van der Waag