The Problem with Facebook Trivia Questions and Your Answers

by

September 30, 2021

Life is full of questions, most of which should not be answered on Facebook.
With over 2,850,000,000 monthly users, Facebook is the most popular social network in the world.
Although the secret is out on the rampant proliferation of cybersecurity scams, many of us continue to participate in random surveys, trivia challenges, and games.
The featured image in this blog is a screen capture from a friend’s post. Its mockery of blatant social engineering tactics is 100% on point.
The following gallery includes an assortment of memes and some concrete reasons not to engage.
These real-life examples should create awareness and hopefully trigger some “aha” moments to make your personal and social networking activities considerably less risky.

Phone Number Phishing

Asking for the last three digits of someone’s phone number is so obvious, you’d think no one would respond.
However, this ridiculous post received 4,600,000 comments and 157,000 shares. Cybercrime is a numbers game and even a small participation rate is a big win for bad actors.
(On a positive note, Tracie is a friend of mine and her cynical comment reflects a high level of cybersecurity maturity.)
Even if the images and inquiries are perfectly innocent (which I doubt is the case here), your responses are scraped and processed by sophisticated software programs to decipher passwords and answers to security questions.
Threat actors have one simple endgame: to gain access to your personal and business assets. And they have a wide variety of free and paid digital tools at their disposal.
I found the following video on YouTube with step-by-step Facebook data scraping directions.
Learn More: How to Scrape User Data on Facebook

Security & Password Question Phishing

Along with your mother’s maiden name, your first pet, or your hometown, your first car is a classic security question.
And this inquiry is one of many posts that are cued up to capture a portfolio of user answers, over many years. In the meantime, bits and pieces can be sold to multiple parties on the Dark Web.
The same long game ploy applies to passwords and phone numbers. While the exhibit in the first section mentions the last three digits of your phone number, cybercrooks can run a simple Google search with your name to acquire the rest of your digits.
They can also verify your identity (and confirm you’re not a fellow crook) by comparing the last three digits you share with your entire ten-digit phone number if you have it visible on Facebook.
I strongly suggest you remove your personal phone number from social media right now.

It’s common for people to create passwords that combine two different terms with upper and lower-case letters, random characters, and numbers.
So if the first part of your password includes your first car, the second part might include Old Spice.
These two disparate pieces of data can be harvested and utilized in brute force attacks (BFAs). This is a trial-and-error approach to guess login information by exploring a variety of combinations.
BFAs can take a few seconds or many years, depending on the length, complexity, and uniqueness of your passwords.
Therein lies the dilemma: according to DigiCert, “73% of users use the same password for multiple sites, and 33% of people use the same password every time.”
As a result of the “recycled-never-changing password dilemma,” access to one account is often access to several dozen accounts – both personal and professional.

What’s Next?

I haven’t completely abandoned Facebook. I need it for business reasons. However, I have become much more circumspect when sharing information, liking posts, and commenting.
As a social media consumer and business professional, I recommend four simple steps:

  • Get a password manager like LastPass, Dashlane, or 1Password.
  • Use a unique and complex password for each account.
  • Change each password frequently.
  • Set up Multi-Factor Authentication for your password manager and every other account where it’s available.
Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...

Third Party Vendor Risk Management: A Guide for Law Firms

Third Party Vendor Risk Management: A Guide for Law Firms

You've bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right? Tell that to...