Social Networking and Password Thievery

Social networking can be a useful communication tool. It can also be an easy way for thieves to guess your passwords. I never really thought about this, but in conversation with an IT guy, it came up that someone has guessed his friends’ username and password for his banking site. The thief proceeded to transfer the money to his own accounts. (No one said thieves are super smart. He did get caught when the bank traced the transfer. But he was at least smart enough to guess the password based on social networking activity.)

How did this happen? First, the person used the same username on his financial sites as he did on most bulletin boards and social networking sites. The thief didn’t necessarily know this, but given that many people do it it’s not a big leap for a thief to assume that if you are JSmith on one site, you are likely using that name on other sites, as well. On some sites, such as Facebook, you use your real name. Also, if you’re posting your email address, it’s not a leap to assume that this is the address you use on sites that use your email address as your username. Second, while on a message board site the victim detailed an argument he was having with his bank and he named the bank. So the thief already has two pieces of information. The person’s likely username and the name of the bank. But he still doesn’t have access to the account.

To get access, he has to know the password. In this case, he referenced several social networking posts made by this user that listed information like his dog’s name, his mother’s name, his hometown, and the city where he was married. If you’ve ever set up a financial account, you know that these pieces of information are often used as password verification questions. If you forget your password, the site/bank will ask one or two of these questions and then give you access to the account. This is what the thief did and he had enough information to get the right answers and gain access to the account. While all of this took the thief some time, it wasn’t difficult.

The moral of this story is to be very careful what you post online and to make certain that whatever you post does not act as the key to any of your other accounts. Anything you post can be used against you. Here are some tips.

Don’t post information that is commonly used for password recovery: Don’t post your mother’s maiden name, the name of your first pet, your hometown, where you went to high school, or any other information that you use for password recovery on social networking or bulletin board sites.

If you are posting this information, make sure your password recovery answers are far more obscure: If you feel compelled to post your high school name, make sure it’s not one of your password recovery answers. Pick something you’re not likely to post online.

Never name your financial institutions: Never name the banks or credit card companies you do business with. Don’t say you have an American Express card, or a bank account at Wells Fargo. Thieves then know where to go if they want to commit fraud.

Don’t use the same username on every site you visit: This not only keeps a thief from guessing your likely username at your bank, it also keeps them from being able to piece together any sort of “picture” about you based on all of your postings across the web.

Use varied passwords: Don’t use the same password for every site you visit. It’s convenient for you, but it’s just too easy for a thief to gain access to every singly site you visit. If they manage to guess one password, they’ve got everything. Also, make your password something that you’re not likely to post online. Many people use their street name, dog’s name, or other easily accessible piece of information as a password. It’s not a leap for a thief to get your pet’s name off of Facebook and then try it in the password slot.

Try to avoid using your email address as a username: Some sites default to this, but may allow you to change it. It’s too easy to guess. If you must use your email, create a separate account just for financial business and don’t post it or use it anywhere else on the Internet. Try to create a unique username.

You don’t have to stop using social networking or message board sites, just be vigilant about what you post online and make certain to keep your social networking life and your financial life completely separate. Don’t give thieves the information they need to access your accounts.

This entry was posted in Personal Finance and tagged , , , , , , . Bookmark the permalink.

2 Responses to Social Networking and Password Thievery

  1. pen says:

    good post. I do follow most of this advice.

  2. John Williams says:

    Other suggestions:
    Use varied answers for you security questions. Using your school mascot in place of the school name.
    Use substitute characters in your security questions.
    Some financial institutions will let you have a code sent to your phone for verification. Set this as your default security option.

Leave a Reply

Your email address will not be published. Required fields are marked *