Posted on

Facebook Security & Privacy Checkup in 2018

Tom C’s Facebook Privacy Tune-up 2018

In this article, I will walk you through a Facebook privacy and security tune-up.  Setting your privacy settings correctly will go a long way towards preventing you and your friends from being attacked by people with malicious intent, being embarrassed personally and professionally, or shattering your image by a “friend” that associates you with something that casts you in a negative light to your friends and family.

This tune-up will focus on your privacy settings and control how much personal information you expose.

Privacy Settings & Tools

In a web browser, while logged into Facebook this link will get you to your Privacy settings: https://www.facebook.com/settings?tab=privacy&view

The recommended settings are shown below, and I will provide an explanation of each:

Who can see your future posts

Controls the audience that will see your future posts, e.g. when you type a new status. By setting to friends will result in only those that are currently in your “friends” list can see the post. Please note that if in the future you become no longer friends of someone, they would then lose the ability to see posts that are set to visibility to friends. Also, posts that are set as friends visibility cannot be shared outside of the people that are in your friends list. Thus, if you intend a post to be shareable, you need to set that post to public. You do not need to go into your settings to do this, as you can set the privacy of an individual post on that post. However, if you do this when posting a status, Facebook will make future posts also public.

Review all your posts and things you are tagged in

This is not a setting but gives you a way to quickly see things are tagged in. People have valid concerns about being tagged in things. You may have had it happen in the past where you were tagged in a post that goes against your beliefs or desires, or that you wouldn’t want to be associated from the eyes of your entire friends list and family. I will tell you how to avoid this completely in a little while when we look at security settings.

Limit The Audience for Old Posts on Your Timeline

This provides a quick way to immediately change all your past “public” posts to another privacy setting. It is helpful because you may have inadvertently made public posts over the years, and you just quickly want to remedy that. However, you may want some posts to remain “public”. You will have to either go through your public posts and cherry pick the ones you want to change, or use this feature and then go over all posts to revert the ones you want to remain public to “public“.

Who can send you friend requests?

This controls who can send you friend requests. Setting to everyone will allow anyone to send you friend requests. In 2018 that is no longer a good idea because of the spam friend requests. Changing this setting to friends of friends then people would only be able to request friendship if they are already friends with another friend. If you get a lot of nuisance friend requests, you might want to change this; but my recommendation is to leave it to everyone and don’t blindly accept all friend requests.

Who can see your friends list?

Very important because there is no valid need for letting everyone see your friends list in 2018. Why? Because this is how chain posts and fake friend requests happen — by one of your friends allowing their friend list to be publicly visible. That becomes a phone book for accounts to target.

Change this to Friends Only . If that is not possible, at least make a smaller group of your friends — call it whatever you like and add your most trusted friends — and let those friends see your friend list. But if you are in the practice of accepting friends that you have never met in person, or many acquaintances, then please tighten this up.

Who can look you up using the email you provided?

Don’t expose this to the world. You know all those marketing and scam emails you get? You don’t want those people to also be able to get your name and other information by plugging your email into Facebook!

Who can look you up using the phone number you provided?

Same as last entry, but for your phone number. Don’t expose this to the world. You know all those marketing and scam calls that you get? You don’t want those people to also be able to get your name and other information by plugging your phone number into Facebook!

Do you want search engines outside of Facebook to link to your profile?

This is important because this is where most phishing attacks begin. What is a phishing attack? Well, put simply phishing is an attempt by a person with malicious intent to gain access to your personal data so that they can then launch attacks against you. Attackers first need to find an account, then they visit your page to find what bits you have unknowingly exposed to the world. For example, you might have your kids names and photos on your page and exposed to public. Now they know enough to target your kids — or target you via your kids.

I will talk more about securing your personal data, but for now please set this to No. You do not want search engines to find your profile.  Yes, this makes it harder for people to find you — but if they don’t already have a way of contacting you to initiate a friendship, then why are you friending them? You have to stop the insanity at some point, so why not start now?

Now we are going to switch pages and look at “Timeline and Tagging Settings”

Timeline and Tagging Settings

In a web browser, while logged into Facebook this link will get you to your Timeline settings:https://www.facebook.com/settings?tab=timeline

I recommend the settings as shown below, and will explain:

Who can post on your timeline?

Setting this to friends allows friends to post to your timeline… any friend. And when any friend happens to become irate because something you posted or commented doesn’t align with their beliefs, they may come to your timeline and post something that is against yours. Or, someone you met in a bar once posts a photo of you dancing on the bar to your timeline. And these people make those posts public in view scope, so now your employer who probably already has your facebook profile address and monitors posts to ensure you are not casting the company in a negative light can see those posts.

“Uh, Bob, can you come into my office and bring everything in your desk with you? Some photos have surfaced….”

Oh my, why would you want to let anybody post to your timeline? Well, when it is your birthday, friends that can’t post to your timeline because you have that set to higher security than friends will find out real quick how much you don’t trust them.

But, there is a better way to protect yourself. Keep this set to friends but activate the review timeline posts setting, described in a short while.

Who can see what others post on your timeline?

This controls who can see what others post on your timeline. Assuming you have timeline review turned on, this really shouldn’t be necessary to change. But if you don’t want to turn timeline review on, and you want all your friends to be able to post to your timeline, this setting might be beneficial. I prefer to control what goes on the timeline to begin with, so I don’t have to worry about this setting.

Allow post sharing to stories?

Stories is a new concept and quite frankly one I have yet to embrace. This setting will control whether or not to allow others to take one of your public posts and share to their story — with your name attached. Note, it has to be a public post….. no one can expand the scope of viewability of any of your posts. I don’t see a problem with this, so long as you are mindful to post public posts when necessary and intended, and with the expectation that the post could become viral and become well known at your workplace.

Hide comments containing certain words from your timeline

This is not particularly useful. You can enter keywords that will hide comments containing those keywords to posts you make, but those comments won’t be blocked completely and your mutual friends would still see the comment.

A  better practice is to actively moderate comments made to your posts. Yes, you have a responsibility to do that — especially if your post os of a nature that is likely to draw controversy and opposing views. You can remove comments to your posts, and you really should do that if the comments are personally attacking others. At a minimum, you should call out attacking comments and warn. Taking the position of “I can’t control who comments to my posts and who that might offend”. Because you can control that.

Who can see posts you’re tagged in on your timeline?

This will allow you to control who can see things you are tagged in. This setting used to be important because it used to really be a problem of people tagging their friends to offensive or nonsense. The better way is to prevent that, and that is done with tagging review, which is coming up real soon.

When you’re tagged in a post, who do you want to add to the audience of the post if they can’t already see it?

This comes into play if you are tagged in a post (or photo) by a friend, but your other friends can’t see it. I see no issue with this, assuming you have the review feature enabled.

And now we finally get to talk about the review features!

Review posts you’re tagged in before the post appears on your timeline?

This is a great feature and highly recommended. If you turn this on, any posts to your timeline will not be visible to anyone until you review them. When someone posts to your timeline, you get notified and can review and on a per-post basis decide whether to allow it or not. If you allow it, then it becomes visible to the people who can see your posts (controlled through another setting discussed previously).

This setting solves the problem of someone posting to your timeline something offensive or something you do not wish to be associated with.

Review tags people add to your posts before the tags appear on Facebook?

This is similar to the previously discussed setting but applies to the situation of photos. To be honest, I am not seeing how this is much different than the previous one.

Personal Data Points On Your Profile About Page

Why Protecting Your Personal Data Is Important

You probably wouldn’t want anyone on the Internet to know what High School you went to, where you work, your date of birth, your home address, your cell phone number, your email address, your kids’ names, their dates of birth, your mothers maiden name, etc. because a malicious person armed with all these data points can hijack your identity really quickly.

So why do you expose those data points to the world via Facebook? Ok, maybe you don’t expose them all, but how many do you expose? Keep in mind, that even if all these things are exposed only to “friends” unless you are extremely selective in who you friend, you are putting yourself at great risk.

How To Review Security Of Your Profile

From Facebook, click your profile picture in the top bar to view your profile, then click the tab “About”.

You should see something like below. It shows the “overview” by default:

Go through each item from the list in the left: Work and Education, Places You’ve Lived, Contact and Basic Info, Family and Relationships, Details About You, and LIfe Events.

For every piece of personal data exposed, hover over that data point and you will see an icon pop up that shows the visibility scope. An icon that looks like a world means you are exposing that to the world, an icon that looks like a few heads means you are exposing it to your friends, and an icon that looks like a lock indicates you are exposing it to no one but you. The setting for that is literally Only Me.

You should not have anything exposed to the world. I expose my website because that is not harming. I don’t even list my true workplace so it can’t be breached or disclosed by accident.

Beware of Life Events = Over Sharing To The World

The default setting is for your “Life Events” to be shown to the world.  Think about this carefully, because if you create a life event to commemorate the day your child was born, and expose that proudly to the world, that life event then shows anyone the birth date, and most likely the child’s name, and what hospital, and the parents’ names, and the grandparents. Pretty much all the information a malicious person would need to impersonate your child, obtain a duplicate birth certificate, etc.

Always Presume Someone On Your Friends List Is A Bad Guy

Go through every data point and make sure the visibility is set properly, and in 2018 that doesn’t just mean not exposed to the world. It also means not exposed to your friends — unless by chance you practice extremely good practices when considering/vetting friend requests, and all of your friends have a valid need to know and can be trusted that they also don’t put You and your family at risk. 

Which leads to an important point which will be discussed next.

How Can My Facebook Friends Put Me At Risk?

If your Facebook friends do not practice what you do, and especially if they expose their friend list to the world, and they are publicly searchable. Now bad guys that find them also find you.

What happens next is that bad guy creates a fake profile and sends your friend a friend request, and also to you. You are smart enough to vet that request and ignore it. But your friend cares more about the number of friends they collect than their own privacy and yours, so they accept the friend request. This is why you never set any privacy or post settings to “friends of friends”, because if you then this bad guy can see your personal data.

App Permissions

The last component of our checkup is to review application permissions. You may recall over the years you have used Facebook to log into other sites or integrate with other services, like games and such.

To see what application s have access to your Facebook account, you can click this link: https://www.facebook.com/settings?tab=applications

Here you will see all the applications that are allowed to access your Facebook data. There are three tabs: “Active”, “Expired”, and “Removed”.

The apps in the active tab are apps that have access right now, and you should recognize and understand the validity of that app having access to your Facebook data. If not, remove the app. You do that by marking the app with a check, then press the “Remove” button.

I have checked “Ali Express” and “Yelp” apps because I do not want those apps to have access to my Facebook.

Facebook does automatically track and will expire apps that aren’t used in 90 days. But that does not remove the app but just terminates its access for future requests.  You should remove apps that you cannot justify having access to your data. If for some reason you don’t want to remove an app, you can click the app to see the specific permissions, and perhaps cut back the things it can see and do.

Now,  I have to talk about the risks you create when you visit one of those “What Celebrity Do I Look Like” sites.

Why Shouldn’t I Allow Apps I see My Friends Posting Results, Fortune Telling, etc?

Because those apps/sites first ask for access to your Facebook personal data and profile picture! Notice how the purpose of the site is one that requires your photo. Sites like “what will I look like in 50 years”, “what hair color is best for my face”, “do I look like Brittany Spears or Christina Aguilera” (Answer, no — neither).

While it is certainly possible that these sites are truly for entertainment purposes and your profile pic and data go nowhere,  that isn’t very likely.  It is more likely that the site really exists as a way for bad guys to get your photo and personal data.

What can a bad guy do with your photo and personal data? Well, pretty much anything. They can create a fake ID and make a copy of it, and mail it to Facebook, Gmail, Hotmail, etc. to “recover” your account. Of course, your account doesn’t need recovering, but they will do it to gain access and lock you out of the account in one swoop.

And you happen to use your Gmail account for the two-factor authentication and password recovery for your online banking? Guess what happens next. Oh, and you use Chrome for all your password storage and management? Guess what happens next?

Please, just don’t. And if you already did, go revoke that app/site so it cannot access your Facebook profile.

My Friends Use Those Stupid Apps, Can That Hurt Me? What Can I Do?

Yes. Your risk gets raised by having friends that use these apps. Anything that you expose to “friends” gets exposed to these sites/apps. If you have friends that do this, your best course of action is to put those friends in a group called “Acquaintances”, and then go into all your settings and set everything that was set to “friends” and change it to “Friends except Acquaintances”.

Authentication & Login Security

You should review your login & authentication options. You can use this link: https://www.facebook.com/settings?tab=security

I am not posting a screen cap for obvious reasons and instead will summarize the things you should have enabled and should not.

Choose friends to contact if you get locked out

I do not recommend to use this feature. Several years back this was a common way of gaining access to someone’s Facebook, because if you could get the person to accept as friends 3 bogus accounts which you control, then the attacker could “recover” your account by choosing those 3 friends.

I am sure this feature is much better, as it allows you to pick the 3 to 5 people, but still this just doesn’t seem smart or even necessary.

Where You’re Logged In

You should review this periodically — especially if you sense things are being sent to people from you but weren’t done by you. You can log out any sessions you don’t recognize. When in doubt, log the session out. If you have retired devices over the years, those are probably still allowed to login. You should remove them.

Change Password

Do this every few months. It isn’t as painful as you might think.

Log in with your profile picture

I do not recommend enabling this. If it is enabled, and you access Facebook from a compromised device, or a device you don’t control completely, your login could become compromised. As the saying goes, security and convenience are always competing…. you should err on the side of security.

Two-Factor Authentication

Highly recommend enabling this, and on any other service that provides two-factor auth. Two-factor authentication is simply an authentication that requires two things — something you know and something you have. Password only authentication is only one thing — something you know. If I can guess that one thing, I get in. But if you have two-factor auth turned on, I still can’t get in because I don’t have the 2nd thing — the thing you have.

Enabling two-factor authentication causes you to have to login with the username and password, and then Facebook sends you a code through SMS or Google Authenticator app, which you need to put in to complete the login process. This is when you access the service from a new PC or device, not every single time you use the service.

Two-factor auth should be used on all social media accounts becuase of the potential for damage to your image, name, reputation if your account gets compromised and control is lost. It will hurt you personally and professionally. You should also use two-factor authentication on any site or service that has access to your payment card information. Paypal, Amazon, etc. all offer two-factor authentication, as does your online banking.

Keep in mind that your mobile device becomes very important when it is the device that holds that second factor for login. This is why modern devices require biometrics. Possession of the device is not enough, because if it were device theft would be a much bigger problem.

With two-factor authentication, the bad guys can’t just steal your device to get into your online accounts — they have to also cut off your finger or pluck out an eye.

Get alerts about unrecognized logins

You should turn this on. It will send a notification to your mobile device, and to any web sessions, when a new device accesses your account. Since you have two-factor authentication enabled, that would mean someone was able to login completely. If it was you, you simply click the option “it was me”. If it wasn’t you, the first action you do is urgently logout all other sessions than the one you are on (through Facebook security settings as discussed above) and change the password. Do this quickly because if you can do that before they log you out and change the password, you will prevent the attack.

Other settings

The other settings on the Facebook Login and Security page are not terribly important and are self-explanatory.

What About Facebook Messenger? Should I Use It?

No. But if you do use it, please forward a link to this article to everyone in your contacts list.
🙂

What Should I Do Now?

Go do the same at all other social media sites, sites that contain your payment card information, the email you use as the “recovery” account for all other accounts, etc.

Get in the hait of reviewing all your security & privacy settings at least every 6 months.

Posted on

Privacy Policy

This site does not track you or your personal data beyond the actions you perform here, and beyond that nothing is tracked. We sell nothing.

What This Site Knows About You

1) Most who sign-up authenticate via a third-party such as Facebook or Google. In that case, the only thing this site knows about you is your email address which is tied to the third-party authentication that you chose.

2) This site knows about what posts or pages on this site you have accessed here.

3) This site knows from what IP address you used to access this site.

What Data This Site Sells 

Nothing. We do not sell or provide anything about your actions done here to anyone.

What This Site Tracks After You Leave This Site

Nothing. This site does not use cookies or scripts to track your activities outside the scope of using this site. This site does not try to list what other tabs you have open, what other connections your device might have to other sites, etc.

Does This Site Know My Password on Facebook, Google, Twitter, etc.?

No. If you chose to authenticate using a third-party such as Facebook, Google, or Twitter, then this site does not know what your password is on those sites.

That said if you chose not to authenticate using one of those third-parties, and instead create a user account and password on this site, and that password happens to be the same as what you used on some other site, in doing so you have done an unwise thing.

However, rest assured that this site does not store that password even in its local database.  Instead, it stores a hash of that password. To be more specific, it is a salted hash. That means even if someone gains access or a copy of our internal database, they will have a very tough time determining your password from that salted hash. I can’t say it is impossible, because nothing is.

But still, you really shouldn’t use the same password on multiple sites.

What About  Plugins This Site Uses?

This site uses plugins for various things, like integrating with social media and authentication sources. All plugins used are widely used and generally considered to be secure and not abuse your personal data.