BASINGSTOKE ITEC
Staying Safe on
Facebook
A simple guide for young adults on ways to stay safe when
using the Facebook social media network
Caroline McColl
revision 2
2012
BASINGSTOKE ITEC
First and Foremost
The most important things to remember:
Passwords
Guessing, or trying combinations of a probable password is an easy way into your Facebook account,
so remember to:
Use at least 6 characters (but preferably 8, with a good mix of letters, numbers, and not so common
characters like &, $, £, *, and ! etc)
Avoid simple replacement of letters with numbers (i.e. Bas1ngst0k3), these can be easily guessed so
try instead to think of an easy sentence to remember and use the first letter of each word, for
example, I Like Two Slices Of Toast And Tea With No Sugar becomes il2sotatw0s. To make it even
stronger choose a rule like every time I type in a number I add a ‘!’ and change the case – so now the
password becomes il2!SOTATW0!s – not very easy at all to guess but quite easy to remember.
Never use the same password for all your accounts (like your email, Twitter, Amazon), try to use
different but memorable associations. For example (“Email Is Cheaper Than Thirty Two Pence
Postage Stamps” for your email account now becomes eict32!PPS, and “I Love Shopping For Size Five
Prada Shoes” for your Amazon shopping account now becomes ilsfs5!PS)
Don’t share your password with anyone else – it sounds obvious but lots of people commonly joke
about their password and why they chose the password they did like “llj4e” for “Laura Loves John
Forever”, and once your friend knows your password they will also know it when you argue and fall
out.
Befriend only your Real Friends (and Family)
There are many reasons why you should not add strangers as Friends to your Facebook account:
They may not be who they say they are, and are using your friendship association to gather
information about you to steal your identity. Once someone has stolen your identity they can
impersonate you to purchase goods online under your name, and take out loans and credit cards
under your name, possibly racking up thousands of pounds worth of debt.
They may not be who they say they are, and are using your friendship association to simply stalk you
(looking at your pictures, and pictures of your friends).
If your Facebook account does become hacked, it becomes blocked, and you need to regain access ,
or even when you access your account from abroad, then Facebook uses a clever security process to
check your identity whereby it asks you to identify your friends from multiple choice images (if
you’ve added friends just to improve your status in games like FarmVille or Mafia Wars, chances are
you won’t remember their names and then you won’t be able to get access to your account).
Common Sense
Some common sense (but sometimes forgotten) things to always remember are:
The Address Bar
Make sure it is facebook in the web-browser address bar.
Notice anything suspicious about the link below?
It’s missing the ‘e’ from Facebook, but sometimes your brain fills in missing vowels so it doesn’t
always look obviously wrong. Scammers set up fake websites to exploit this and they will replicate
an authentic looking Facebook website just to grab your login details.
If you’re been redirected to Facebook, or you suspect something looks out of place on the website,
simply retype www.facebook.com into the address bar.
Personal Details
Do not put your phone number, or home address on your profile (this is valuable information that
scammers will use to steal your identity).
Do not write posts about an upcoming holiday (your close friends may not be thieves, but friends of
their friends may be watching)
Reputation
Think twice about putting up those embarrassing photos of Friday night’s shenanigans, it may seem
like a laugh and a joke but did you really want your Auntie Margaret to see it, and remember that
62% of employers check Facebook and other social networking sites when hiring.
Do not let out steam on Facebook, it may seem like a harmless way to get your point across and your
feelings known but even though the words may be on a computer screen and not said in person they
are no less hurtful, and again do you want your future (or current boss) to think of you as a loud
mouth?
Using Facebook Settings to Stay Safe
Friends Lists
Using Friends Lists is probably one of the easiest ways on Facebook to ensure that you only share
certain content with those people that you really want to share it with. It can take some time to
initially set up (especially if you have hundreds of friends already), but once done it’s easy to control
who sees what.
Friends Lists are a way of categorizing groups of people who have become (or will become) your so
called “friends” on Facebook. Not everyone on Facebook though is necessarily a close friend who
you’d share your closest secrets with, and so just like in real life when you’d think twice about telling
a friend of a friend’s brother’s cousin about a personal issue you should do the same on Facebook.
Facebook now has some preconfigured lists:
“Close Friends” for your closest friends, friends who would know your favourite colour, the name of
the first school you went too, and which boys or girls it is that you fancy these days.
“Family” for your family members. Sometimes your Mum or Dad, or Auntie Margaret could be a
very close friend, but you may not want them to see pictures from last night’s party!
“Acquaintances” are for friends of friends who you would happily have a conversation with, but not
necessarily share all your private secrets with. Your best friend’s brother’s girlfriend for instance,
someone you’d talk too over a beer, but you wouldn’t trust them with your car keys.
“Restricted” is for your friends at work who like your acquaintances may be great to talk too, but
your work colleagues may include your boss (or if not they also know your boss), and although last
night’s party pictures may be fine for your acquaintances you wouldn’t necessarily want your boss to
see them (which is why we separate these groups)
To manage your friends’ lists, click the MORE link that appears when you hover near the LISTS
section.
From here you can create new lists, archive the list, or edit the list by clicking the list name.
Once you have clicked into a specific list you can now post things to your wall (update statuses, add
photos, ask questions etc) all in the knowledge that it is only viewable by those in the specified list.
You can add new people to the list by typing their name in the search box under ‘On This List’
You can also add people by using the Manage List menu
item and choosing Add/Remove Friends.
Some lists such as the ‘Family’ list are auto-populated based on whether you have assigned certain
friends as being family members in your profile settings. For instance if you have added Aunty
Margaret as a friend, and also set her as been a family member (Aunt) in your profile settings then
she would automatically be assigned to the ‘Family’ friends lists.
To add friends to the family list you can use the Manage List drop-down menu, or the search box
below ‘On This List’ as previously or you can use the ‘Add’ button next to Facebook suggestions
(which are surprisingly accurate!)
When you add friends to the Family list, Facebook lets
you know that they are going to confirm the
relationship with the friend in question.
Posting
Controlling who can see what you post is one of the most important things to consider when using a
social network, but most of us choose to simply ignore the standard security/privacy settings - which
usually allows everyone to view everything.
As previously mentioned the safest way to make status updates or post some content is to know
your audience and choose the appropriate list to send it to.
When I enter into the ‘Family’ list I can post things in here and be confident that it is only friends
from my family that will get the update (see above how Facebook has automatically chosen the
family list icon). This would be great for say inviting all your family to a BBQ (without the rest of
your acquaintances from work turning up with their friends, along with your other friends from
down the street).
However if you are on your home page and not in a specific list section you can still control who can
see the content / status update by using the drop-down list (which usually defaults to Public –
meaning everybody can see the post – even those who are NOT your friends and have found your
profile by a search)
As you can see from the selection above I could choose to post the update to the Public, just my
Friends (which is really what Facebook should default too), or at the bottom is the friends lists (so I
could choose to only send the update to my Close Friends, or Family etc)
Some other things worth noting about Facebook is that you can now add/tag another person along
with the status update. For instance below I’m adding a status saying ‘walking by the seaside’ and I
could add my best friend so that they too would be linked to the status.
More worryingly however is the use of the location tag, which associates the status update with a
given location.
By clicking the pin icon you can associate the update with a location so you can let others know
exactly where you are. Given now though that Facebook defaults to ‘Public’ you have now
broadcast to the world where you are at this precise moment in time (great for stalkers or burglars).
Also consider that when you make a status update via a mobile phone it usually automatically
selects your current location.
Suppose for instance you did not supply your address on your profile information (wise decision) but
made just one public status update from your mobile while you were in sitting on your sofa at home.
Somebody could now find out the town in which you lived. It is not uncommon for Facebook to also
display the street, and if you are at a club or restaurant which Facebook has details about it will
provide the full address (ideal for a stalker or revengeful ex-partner).
Privacy Settings
As previously discussed Facebook defaults your account posting to be Public (meaning anybody can
search for your profile find it and view your wall/photo’s etc).
The easiest way to prevent this is to set the default privacy level to be ‘Friends’ – meaning only those
which you have added as friends can see a post (and even then it may be further filtered by lists etc).
To edit your default privacy setting – choose the drop down menu from the top right hand corner
and choose ‘Privacy Settings’. Now under the section ‘Control Your Default Privacy’ choose ‘Friends’
and save your changes.
Now when you go back into your wall to make an update the default posting audience should be set
to ‘Friends’ and not ‘Public’ anymore.
It is also a good idea to check what default settings you have for other areas of your account such as
controlling how you connect with others, and tags from friends.
Again under the privacy settings section - choose ‘Edit Settings’ for ‘How You Connect.’
Note: if you have enabled the Timeline view for your profile it will refer to your profile as ‘Your Timeline’,
otherwise it may be referred to as just ‘Your Profile, but either way each section is similarly relevant.
It is generally a good idea to only allow ‘Friends of Friends’ to look up your ‘timeline/profile’ by name
or contact information (although this would probably have never worked when Facebook first
started out!). If however, you do choose to let everyone search for your profile, then be sure to
limit the information in your basic profile, and as previously advised do not make any status updates
or photo uploads to the ‘Public’ audience.
The important one from above is ‘Who can post on your Timeline/Profile’ – this should always be
‘Only Me’. It’s YOUR profile, YOUR account, YOUR reputation – you should not let OTHERS post to it.
The other section worthy of attention is tags. The first two options offer a way to review tags that
include you.
The timeline review says whether any posts made by somebody else that includes a tag of your
name should first be reviewed by yourself before appearing on YOUR profile. It does not mean that
your friends post will not be visible to other people and will still include YOU on the post, it just
means it won’t automatically appear on YOUR timeline/profile.
The tag review is for when somebody adds a tag to somebody else on one of your photos, giving you
the chance to review and possibly reject it.
Both of the above are safe enough to leave as default ‘Off’, unless of course somebody is constantly
tagging you falsely, in which case you can turn the tag reviews to ‘On’.
The Maximum Timeline Visibility says how far spread some content which you are tagged in can
propagate. The safe option here is probably just ‘Friends’, but ‘Friends of Friends’ should also be
fine, but as always you should never make it ‘Public’.
Finally you should always disable (turn off) the Friends Can Check You Into Places feature. As
previously discussed it should be YOU dictating your profile and NOT your friends.
Threats
There are a few ways your Facebook account may get hacked, but by following some basic rules you
can limit these possibilities:
ClickJacking
Clickjacking is a technique used by attackers to trick you into clicking on links or buttons that are
hidden from view. Clickjacking is possible because of a security weakness in web browsers that
allows web pages to be layered and hidden from view. You think you are clicking on a standard
button, like the PLAY button on an enticing video, but you are really clicking on a hidden link. Since
you can’t see the clickjacker’s hidden link, you have no idea what you’re really doing. You could be
downloading malware or making all your Facebook information public without realizing it.
One form of clickjacking is to hide a LIKE button underneath a dummy button. That’s called
Likejacking. A scammer might trick you into saying that you like a product you’ve never heard of in
an underhanded bid to create viral marketing buzz. At first glance, likejacking sounds more annoying
than harmful, but that’s not always true. If you’re scammed into liking Justin Bieber, the world isn’t
likely to end. But you may be helping to spread spam or possibly sending Friends somewhere that
contains malware.
How to stay safe
If a post from one of your Friends seems suspicious, don’t click on it!
A suspicious post could be a sign that your Friend’s Facebook account has been hijacked or that your
Friend has been clickjacked to LIKE or SHARE something without knowing it. If you know your
Friends, you’ll know what those Friends really would LIKE or SHARE. That’s why one of your best
protections against scams is not confirming Friend requests from people you don’t actually know.
Keep your web-browser up to date. By ensuring your web-browser is up to date (which means
installing windows updates, and updating your web-browser to the latest version whenever they are
available), you will limit the number of vulnerabilities that exist within the web-browser software
that scammers can exploit.
Malicious Script Scam
A malicious script scam is one of the sneakier attacks being used on Facebook users. A common con
using this attack method claims to allow you to see who’s been looking at your profile. This enticing
scam tries to trick you into pasting text into your browser address bar.
The “unique code” shown above is the malicious script. While you’re being patient as instructed, the
script is setting up your profile to spam all of your Friends.
In response to detecting these kind of attacks, Facebook added checks to help detect scripts being
pasted into the address bar. So if you do paste a script, Facebook will ask you to confirm that you
really want to paste that script—and even tell you why it’s a bad idea. Pay attention to these
warnings.
How to stay safe
Don’t paste a script into your browser address bar unless you know exactly what it does and how.
Also give your Friends a heads up if you start seeing spam from them. Your Friends may be
completely unaware that their Facebook accounts have been hacked.