Everyone uses Social Media these days and we’re trusting it with more and more of our personally identifiable information (PII).
Our interests, comments, check-ins, likes and the network of friends and family we build-up all contribute to a context-heavy online identity.
If an attacker gains control of your online identity, they can easily:
- Steal all your personal information
- Post content and messages on your behalf to hurt you or your network of friends and family
- Use implicit trust to gain access to other online services
- Impersonate you, abusing the trust you have with your network of friends and family to infiltrate their online identities and networks
etc.
In this guide, I’ll focus on the social media platform Facebook and talk about how to review your security settings.
Table of Contents
Review your public profile
It’s important to review exactly what information you’ve entered as part of your Facebook Public Profile – as it’s exactly that: Public.
You may have entered something personal, inappropriate, misleading, regrettable or just incorrect without realising it’s being broadcast to the world. The settings controlling what’s displayed as part of your public profile are separate from Facebook’s general security settings so must be reviewed independently.
To configure your Public Profile, do this:
- Browse to https://www.facebook.com and log in
- Find your mini profile picture and name in the top of the left navigation bar.
- Click on the the 3 vertical dots next to your name
- Click on Edit Profile from the pop-up menu
- Your Edit profile popup window will appear
Examine all photos and read all text and options in this window from top to bottom. Whatever you see here is publicly visible to the whole world.
After making a change, remember to click the Save button that appears.
Edit your About Info
IMPORTANT: Make sure you click on the Edit your About Info link at the bottom of the Edit Profile window.
The About Info section can contain a huge amount of personal information you might want to keep private.
Go down the navigation items on the left and examine each panel of information on the right. Examine everything here. If there’s something you’d rather keep private or don’t want the world to see or know about – such as your mobile phone number or your relationship status, change it here.
Security and privacy settings
Facebook security settings can be accessed via the Facebook. Accessing the Facebook security settings:
- Browse to https://www.facebook.com and log in
- Click on the down arrow ▼ in the top right corner
- Select Settings from the drop down list
There are lots of security-related settings here, so to save you time I’ve use the following colour coding:
[QUICK WIN] = You should address these straight away
[EFFORT] = Require a bit more thought and effort but will definitely improve your security posture
[REVIEW] = Items for you to review. These are mainly about privacy but also cover notifications and alerting.
Security and login
Where you’re logged in [REVIEW]
This is a list of all devices and locations that are currently logged into your Facebook account.
If you have a home PC, a laptop, a smart phone, a tablet etc. you’ll see multiple entries here. Facebook will try and identify the type of device and where geographically it’s logged in from.
Make sure you click on the ▼ See more button to display everything.
Look down the list and if there’s anything there you don’t recognise, click the three dots menu icon on the right and select Not you?. This tells Facebook that you are not responsible for this login and will help Facebook block this connection in the future.
If you’re knowingly using a VPN or routing your traffic via a different country, you’ll see that reflected here.
Seeing anything unexpected here can indicate that your Facebook account has been compromised and someone else is logging into your account without your knowledge. Is this is the case, I would recommend that you immediately do the following:
- Change your Facebook password
- Go back to the Where you’re logged in list and click Log out of all sessions at the bottom.
This will cause every device on the list to be logged out. If they try and log in again, they’ll be prompted to enter your password which you’ve just changed.
Setting up extra security
Get alerts about unrecognised logins [QUICK WIN]
This works hand-in-hand with the Where you’re logged in list (explained above).
Facebook can send you a notification if it sees a login that’s from a previously unknown device, browser or location. This is really important so you can react quickly if your account is compromised.
If this isn’t already On, click the Edit button and make sure notifications are enabled for all alert types. Remember to click Save Changes.
If you’ve just turned something on, you’ll get an alert saying so.
Use two-factor authentication [EFFORT]
You can learn more about the concept of Two Factor Authentication (2FA) by reading my guide here.
TL;DR; In order for a new device or browser to log into your Facebook account, a person will need to know not just your username and password (which might have been leaked) but also have access to your unlocked mobile device and use its code generator app.
If you enable 2FA in Facebook, it requires a minimum of your mobile phone number and a code generator of some sort.
The Facebook smartphone app will serve as a code generator, but if you’re embracing the concept of 2FA to protect your online identity across multiple online services, you should take the option to set up a third-party app as a code generator.
After you’ve read my guide to 2FA, adding Facebook’s QR code to your code generator app will be a breeze.
Choose 3 to 5 friends to contact if you are locked out [REVIEW]
Your Facebook account can be locked-out if someone is trying to brute-force your login credentials or someone has reported your account behaving maliciously – usually after it’s been compromised.
You can choose a few trusted Facebook contacts to help you out if your account becomes locked-out. They will be contacted by Facebook to help your identity to prove you are who you say you are.
Privacy
Your activity
Who can see your future posts [QUICK WIN]
Unless you are a public figure and want everyone to know exactly what you had for lunch or where you went last night and with whom, I would strongly recommend making sure only your Friends can see your future posts.
This setting usually defaults to Friends, but can switch if you’ve recently changed the visibility of a post to Public.
If this is set to anything other than Friends, click the Edit button, change to Friends then click Close. This setting doesn’t have a Save Changes button and takes effect immediately.
Limit the audience of old posts on your timeline [QUICK WIN]
If you’ve posted stuff in the past that you might have thought was a good idea to make Public, or may have accidentally made Public, you can fix this and set everything you’ve done back to Friends.
Click Limit Past Posts then click the Limit Past Posts button that appears below, then click the Limit Past Posts button in the window that appears, then click Close. The change will take effect immediately.
How people can find and contact you
Who can see your friends list? [REVIEW]
If you want to stop people you don’t know seeing a list of your Facebook Friends, you can change that here.
Click Edit, then change the visibility button to Friends. The change takes effect immediately.
If you’re happy for people you don’t know to see your list of Facebook friends, leave it as Public.
Who can look you up using the email address you provided? [REVIEW]
If you want to prevent people you don’t know from finding your Facebook Profile via your email address, you can change that here.
Click Edit, then change the visibility button to either Friends or Friends of friends. The change takes effect immediately.
If you’re happy for people you don’t know to find you by your email address, leave it as Everyone.
Who can look you up using the phone number you provided? [REVIEW]
If you want to prevent people you don’t know from finding your Facebook Profile via your mobile phone number, you can change that here.
Click Edit, then change the visibility button to either Friends or Friends of friends. The change takes effect immediately.
If you’re happy for people you don’t know to find you by your mobile phone number, leave it as Everyone.
Do you want search engines outside of Facebook to link to your Profile? [REVIEW]
You can stop your Facebook Profile page from appearing in search engine results by changing this option.
Click the Edit button and either tick or un-tick Allow search engines outside of Facebook to link to your Profile, then click Close.
It can take days or weeks for your profile to disappear from search engine results, so don’t expect an immediate effect. If you’re still seeing your profile coming up in search engine results, you’ll need to contact the search engine company directly and request your profile to be removed.
Timeline and tagging
Timeline
Who can post on your timeline? [QUICK WIN]
TO DO
Who can see what others post on your timeline? [REVIEW]
TO DO
Tagging
Who can see posts that you’re tagged in on your timeline? [REVIEW]
TO DO
When you’re tagged in a post, who do you want to add to the audience of the post if they can’t already see it? [REVIEW]
TO DO
Review
Review posts that you’re tagged in before the posts appear on your timeline? [REVIEW]
TO DO
Review what other people see on your timeline [REVIEW]
TO DO
Review tags that people add to your posts before the tags appear on Facebook? [REVIEW]
TO DO
Public posts
Who Can Follow Me [REVIEW]
TO DO
Public Post Comments [REVIEW]
TO DO
Public Post Notifications [REVIEW]
TO DO
Public Profile Info [REVIEW]
TO DO
Apps and websites
Every time you interact with a Facebook app, you grant it access to one or more elements of your profile. This can include your personal profile i.e. age, sex, religion, address, email etc and your friends list.
Some apps, also demand permissions to post on your behalf.
This page is split into 3 tabs: “Active”, “Expired” and “Removed”.
Apps under “Active” have continued access to your data.
Apps under “Expired” previously had access to your data but their access has now expired.
Apps under “Removed” are those that have had access to your data removed manually by yourself.
For all “Active” apps, you can check exactly what privileges it has by clicking “View and edit”.
If you’re certain you don’t want an “Active” app to access your data any more, tick it’s box and click the “remove” button.
You should perform this simple check regularly – especially if you’re in the habit of completing Facebook quizzes, questionnaires or playing Facebook games.
Apps, Websites and games [QUICK WIN]
Game and app notifications [REVIEW]
TO DO
Payments
TO DO