Facebook Polls are a Jackpot for Scammers

Those Get To Know Me Polls are not harmless fun…they are a jackpot for Social Engineers and Hackers. Here is how you can thwart their efforts.

The Get to Know Me Facebook Polls. They are everywhere, and if you have a Facebook account you will often notice that once a poll pops up from one of your friends, it isn’t long before others start posting it as well. They seem like harmless fun; a great chance to get to know cool and interesting facts about your friends and family that you may not have known. But they are also great something else…a jackpot for social engineers and identity thieves.

Why The Polls are Dangerous

Think about the kinds of questions these quizzes ask you. More often than not they contain questions like these:

  • What is your mother’s maiden name?
  • Where were you born?
  • What is your pet’s name?
  • Where did you go to high school?
  • What year did you graduate?

They seem like innocuous questions; something that your friends would probably already know about you, or things that could be easily identified from other public sources.

But think about where else you have seen these questions before. Have you seen them when you are setting up online banking accounts? When you are setting up automatic bill payments online with your utility company? How about when you are accessing your health record for your clinic’s new online portal?

Many of the questions in these Get to Know Me Facebook Polls are the exact same questions that are used by vendors and legitimate websites as a second layer of authentication to protect your account. You often create them as a way to prove that you are who you say you are if you ever forget your password to the website; you can simply tell the website you forgot your password, answer the security questions you set up when you established the account, and they will send you your password or a password reset link via e-mail.

Why This is a Problem

One of the most common ways for hackers and scammers to try and gain access to your accounts is through password cracking. Using Brute Force or Dictionary Attacks, hackers or social engineers will try and guess your password and use it to access your accounts. When these methods fail, or if the account is set up to only allow a limited number of password entries, the system often helpfully presents you with your security question you can answer so you can reset the password. If the hackers or scammers know that your mother’s maiden name was Smith and that’s the question the system is asking…they are as good as in.

“Not me!” I can hear you exclaiming. “How would they know my mother’s maiden name was Smith? These hackers aren’t my Facebook friends and they could not have seen the Get To Know Me Poll I took a few months ago. My Facebook Profile is a Fortress!”

You may be smarter than the average bear when it comes to social media. You may have your account locked down to where no one who isn’t your friend can see things you post. You may have it set up so your Facebook profile doesn’t appear in Google search results. You may prune your Facebook Friends lists regularly to make sure that you are only friends with people you actually know in real life. You may have done everything you can to make your profile secure.

orange-2570979_640But what about Great Aunt Pam? The relative you only see every couple of years but at the age of 70+ loves to post pictures of her crafts, send around chain Facebook messages and like or comment on your posts? Chances are that her Facebook profile is wide open.

When these well-meaning friends of yours like or comment on that Get to Know Me Poll, that poll and your Facebook identity display on their wall, which is open to everybody. These are the people the smart social engineers target. They may not be able to get to the poll on your profile, but they can get to it from Great Aunt Pam’s because she liked it. Now, the social engineer has your poll answers, and they can try and target your accounts.

What You Can Do About It

There are two ways you can stop hackers and/or social engineers from getting the information they need to access your accounts this way, and I would recommend employing both strategies.

  1. Stop Filling Out The Polls –  These polls may seem harmless, but as we have seen they are anything but. By filling these out you are putting incredibly valuable information out into the world for everyone to see and use however they like. Even if your Facebook profile is locked down like Fort Knox, you can’t ensure that everyone else who you are connected to has the same level of security and privacy awareness, and a simple like or comment from them has the effect of spreading that information across the entire open internet. Your Great Aunt Pam may not mean it, but she’s helping someone access your accounts or steal your identity.
  2. Lie On Your Security Questions – Security questions are anything but secure, which is why most experts recommend eliminating their use. When you are establishing new online accounts and you are asked to create security questions, lie. Lie your butt off! There is absolutely no reason why you have to provide the actual real answers to these questions; the company doesn’t care and won’t be checking to make sure you actually provided you mother’s real maiden name. All they need is some answer to the question they can check against what you provided them if you need to do a password reset, so just give them data. Tell them you mother’s maiden name is Purple Sparkly Pants or something else ridiculous…that’s all they need to store an answer from you in their database to compare against if you need to reset a password. That way if a hacker or social engineer is presented with the question, knows your mother’s maiden name and enters it, they will be stopped in their tracks.

On a Side NoteThis does mean that you will have to remember the lies you tell in your Security questions. I recommend getting a Password Manager to help with this. Not only will it help you create better passwords, most of them have the ability to securely store notes associated with your accounts. You can log the lies into the password manager for the site, thereby eliminating the need to remember them.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: