Social media and instant messaging software have become essential tools for our daily social interaction and communication. Therefore it is important to protect the user accounts of relevant software. In many cases, users have not changed or strengthened the security settings of the account after first registering the account and pose a significant security risk of identity theft. With insufficient security measure, hackers may take control of the vulnerable account easily by using password attacks, which leads to personal information leakage or account identity being stolen for other social engineering attacks.
User account management becomes so important for preventing personal data or social media account from hackers. In the past, using a stronger password can help to prevent password attacks (i.e. a stronger password means the one which contains a longer code and hard to guess). But for now, a stronger password is not sufficient to protect your account from hackers since the attacks become more sophisticated and complicated. HKCERT advises users to take the following suggestions to improve security in personal internet service account management for minimising the risk of identity theft.
Threats of Personal Account – Phishing Attacks
Nowadays, cybercriminals usually lure users to input login information through phishing attacks. There are different ways of phishing. For instance, a fraudulent email will be sent to the user to redirect him/ her to a phishing site and lure the user to fill in the login information. Another trick is to ask the user to log in his/ her social media and instant messaging account in order to unlock the partially hidden contents.
With phishing attacks becoming more diverse, the users should be cautious before entering any personal information. Besides, HKCERT provides the following guidelines for users to improve the management of personal accounts.
Personal Account Security Management
1) Use 2-factor authentication / 2-step verification
The 2-factor authentication or 2-step verification requires a user to input 2 sets of code for user authentication. Generally speaking, it is a combination of a pre-set password and a code generated from a device on hand (e.g. security token or mobile phone). For example, the platform requires the user to input the username and the pre-set password first. After that, the user will be asked to input an additional one-time password (OTP) from the mobile (the device on your hand). The one-time password comes usually in 2 forms: (1) sent by SMS to your mobile, or (2) generated from an authentication app installed on your mobile.
This feature is more secure than password-only authentication, therefore it is highly recommended to enable the 2-factor authentication/ 2-step verification feature.
Information on 2-factor authentication / 2-step verification features of different platforms are listed below.
2) Do not use the same password for different services
Hackers will try to use the stolen passwords to login to other internet services once they had stolen credentials on a service platform, such tactic is called “Credential Stuffing”. For example, when a hacker successfully steals a user’s Facebook account password, he will try to use the same password to login to the user’s Twitter, Gmail or online banking account. From this point of view, it is highly recommended to use separate passwords for different services.
3) Think twice before entering the password
Users should always make sure the website or application is legitimate before entering their online account information and password every time. It is suggested not to enter any account information and verify the legitimacy with the service provider if in doubt.
4) Sign-out after use
Do not use "remember password" function on public computer. Also, it is advised to use the "incognito" or "private" mode of the browser. Moreover, the users should sign-out of all internet services and close all browsers afterward to ensure no browsing history will be left.
5) Delete unused account regularly
Most users forget to manage the accounts that are not actively in use, which will easily be targeted by hackers. In view of that, the users should review regularly and delete inactive accounts to reduce the risk. It is recommended to compile a list of personal social media and instant messaging accounts for easier account management.
6) Pay attention to suspicious login attempt alerts
Some internet service providers notify the users about suspicious login attempts, that means it will send an alert email and/or SMS to the user if the system detected a suspicious login attempt. Users should pay attention to this kind of alerts issued by the service providers since it indicates that a hacker is trying to break into your account.
Once the hackers have successfully stolen one of your friends’ account, they will impersonate your friend and continue to attack his/ her connections. This kind of attacks taking advantage of the trust among friends to request other users to provide account login information or PIN, or even conduct financial fraud. Therefore, if you receive any suspicious request, please verify it carefully by voice calls or other reliable ways.
7) Apply security patches on social media and instant messaging applications and end point devices timely
Despite phishing attacks, hackers will attack the targeted account by exploiting the vulnerability of related software. The users should apply security patches to social media and instant messaging app, browser and operating system timely no matter it is on mobile or PC.