Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences...
-
Upload
farid-yandouz -
Category
Documents
-
view
217 -
download
0
Transcript of Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences...
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 1/90
Preventing
fraud
and
managing risks in
Social Media
by Michalis Mavis,
MSc,
MSc
f. Chairman of Hellenic Fraud ForumSecurity
Countermeasures
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 2/90
Our
Approach• Social Networking should be seen as a
positivesocial phenomenon.
• We will look at the security threats
& fraud cases in Social Networking .
• We will
make
recommendations
on how to address these, to gain
the full benefits offered by SNs.
2
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 3/90
Agenda• Understanding the opportunities and the risks
of social networks (SNs) to corporate security
and personal privacy.
• Discussing methods to protect you and your
business.• Identify the dangers for the industry.
• Legal and illegal methods used to get
confidential information
from
SNs.
• Conclusions and Recommendations
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 4/90
The Impact of potential hacking FB
• If the ‘Anonymous‘ hacking operation on 5th
Nov. is
successful,
(we
will
know
in
a few
days time) the impact of Facebook hack could
be to raise additional awareness on SNs
security issues
&
risks.
• Despite all of the previous attacks getting
some news coverage, now 750 million users of
FB will
be
painfully
aware
of
security
risks
threats and holes of the SNs .
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 5/90
It is not only Facebook
(FB) that
needs
security
measures
...
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 6/90
security issues
LinkedIn reports more than 100 million registered users, spanning
more than
200
countries
worldwide,
as
of
March
2011.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 7/90
Linkedin Safer than other SNs
• LinkedIn is generally safer than MySpace and
Facebook, mainly because it's less feature‐rich
and thus
opens
fewer
potential
attack
vectors,
experts say.
• Linkedin supports also SSL technology (Secure
Sockets Layer)
for
logins
and
other
sensitive
pages such as member settings. SSL ensures that the information between your computer and
LinkedIn servers
is
encrypted
so
it
cannot
be
snooped on. But…
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 8/90
LinkedIn site
security
vulnerabilities• According to Rishi Narang ‐ an independent Internet security
researcher a serious problem of Linkedin was found in May 2011. LinkedIn's professional networking website has security flaws that makes
users'
accounts
vulnerable
to
attack
by
hackers
who
could
break in without ever needing passwords.
• The problems are related to the way LinkedIn manages cookies, that serve as a key to gain access to the account. One of them is
that
the
cookie
does
not
expire
for
a
full
year,
from
the
date
it
is
created !
• Most commercial websites would typically design their access
token cookies to expire in 24 hours, or even earlier if a user were to
first log off the account.
• The long
life
of
the
LinkedIn cookie
means
that
anybody
who
gets
hold of that file can load it on to a PC and easily gain access to the
original user's account for as much as a year.
May 2011
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 9/90
The ‘leo_auth_token’ cookie
• Among other cookies, the main authentication
cookie known as ‘leo_auth_token’ tells the
server that the user is already authenticated, and that there is no need for a password re‐
submission.
• “Once the attacker gets this cookie, he can
import it in his browser and, he may login in
your
Linkedin profile
as
owner,
change
it
and
do whatever he wants…
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 10/90
The cookie risk
• The user’s password in Linkedin is securely
sent over an encrypted channel, but cookies,
although encrypted,
are
sent
over
a plain
‐
text channel, allowing hackers to “sniff the
traffic” and get hold of these cookies.
• Although they
cannot
decrypt
the
cookie
files,
they can import them onto their browser and
authenticate themselves as the real account owner
without
the
need
of
any
password.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 11/90
Recommendations by LinkedIn
• Choose wired or trusted and strongly encrypted wireless networks (Wi‐Fi) or Virtual Private Networks (VPNs) whenever possible.
• If you
ever
suspect
your
account
has
been
compromised,
you should change your password right away by following
these steps: – Go online using a trusted wired or encrypted wireless network
– Login
to
Linkedin.com using
a
computer,
protected
with
anti‐
virus software
– Go to Settings ‐> Change Password and change your password
• Some experts said an attacker could keep accessing an
account despite a password reset because cookies were
still valid
after
the
change
!!!
• FORTUNATELY THIS IS NOT CORRECT…
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 12/90
REAL SCENARIO
• You are connected in a network at office or home
and someone captures the cookies in traffic e.g.
by using
Firesheep and
your
account
is
hijacked.
• You as a user will not know that the cookie is
stolen or there have been any parallel login by
the attacker.
• LinkedIn doesn’t maintain any list of IP addresses
(for
a
user
to
view
at
his
account)
e.g.
as
Gmail or
Facebook does.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 13/90
LinkedIn housekeeping
security measures
...
Pls Help! My SN
profile
has
been
hacked
!!
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 14/90
How to backup your Linkedin Profile
• Save your full profile to a pdf document, by
pressing the pdf icon under your photo.
• Save your connections, by following the link:
http://www.linkedin.com/addressBookExport
• Restore the
connections
in
case
of
problem
from the relevant file. Linkedin Connections
=> Add Connections => Contacts File ..........
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 15/90
Export Linkedin Connections
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 16/90
Quick tips on Security and Privacy
• Always have at least one other email address
assigned to your account should you lose
access to
the
primary
address.
• Log‐out your Linkedin Account when finished.
• Ensure your
computer’s
security
software
is
up to date.
•Don’t click on a link you don’t trust.
• Set your Profile settings.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 17/90
Public Profile ?
• By default, visitors have access to your entire
profile—your picture, summary, current positions, education, website, groups and more.
• If your
intent
is
transparency,
then
full
view
is
recommended.
• However if you're not looking to
disclose all
of
your
information,
go
to the Profiles Settings section and
update by un‐checking the profile
features, that you don't want to bedisplayed
publicly.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 18/90
Linkedin Settings
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 19/90
Two important settings
• Prevent your connections from seeing who
you are directly connected too. This will make
sure key
vendors
contacts
and
clients
connected through LinkedIn remains
confidential.
• Profile Views – What others see when you
visit their profile.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 20/90
When you visit a Profile in Linkedin
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 21/90
Recent Security
Events
connected with
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 22/90
Recent malware attack
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 23/90
Spam Emails to Linkedin users
• Spam emails looking as LinkedIn message notifications.
• The email included embedded links which, when
clicked, would redirect the user to a page that stated
“PLEASE WAITING….
4 SECONDS,” before
again
redirecting to Google’s home page.
• During those four seconds, the victim’s PC is infected
with the ZeuS data‐theft malware via a drive‐by
download.• After embedding itself within the user’s web browser,
ZeuS focuses on capturing login credentials and
passwords, which in turn can be used to access the
user’s personal
accounts
(financial
or
otherwise).
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 24/90
More SNs risks• With a variety of easy tricks, attackers can hijack a
person's SN account and use it as a launching
platform
for
additional
attacks
against
other
users.• The trusted relationships that make up a person's
network will then be used for future attacks.
• Those
attacks
may
be
incorporated
into
micro
botnets and produce high impact results.
• For example by searching through a page of messages
on Twitter, a motivated attacker can find the cell phone
numbers
of
VIP
people.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 25/90
Recommendations• Never provide your Linkedin credentials
(email + password) when clicking on a link.
Always use https://www.linkedin.com to
login.
• Log‐out
immediately
when
finished.
• Set your browser to delete all
cookies at the end of the session
(when browser is closed).
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 26/90
SNs, the ideal area for intelligence
gathering and
attacks
...
SNs are the ideal environment for easy, massive, up to date
information gathering (intelligence).
Information about personnel (people), companies, new projects,
military issues, comments on important decisions, political beliefs etc.
It is done anonymously, legally and with very limited danger.
Open APIs included in Twitter and FaceBook, provide the
opportunity to attackers, to prepare and run malicious code of any kind.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 27/90
Specialized Search Engines
Deep web vs. Surface web.
Only 1/500 of information available on the Internet is freely
available for the users.
The rest 499/500 is in closed Data Bases (?) messages of users
and various repositories that consist the deep web.
You need specialized search tools that may search thedeep web and provide info about information relationships.
You also need better visualization tools, so that we may
highlight those relationships.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 28/90
About WhosTalkin
• WhosTalkin.com is a social media search tool that
allows users
to
search
for
conversations
surrounding the topics, that they care about most.
• Whether it be your favorite sport, favorite food,
celebrity, or
your
company's
brand
name.
• The search and sorting algorithms combine data
taken from over 60 of the internet's most popular
social media
gateways.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 29/90
Yahoo pipes
Visual Tool that allows to prepare and run
specialized queries.
Content Search
Engines
// pipes.yahoo.com/
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 30/90
Snitch.nameDesigned to search from a central point various sites for
specific persons names.
Very famous in United States
Returns results from :
• Social Networks (FB, MySpace, Twitter…)• Business Networks (Linkedin)
• Academic Networks (Google Scholar, MIT…)
• Blogs (Wordpress…)
• General Nature web(Google, AnyWho…)
• US gov (CriminalSearch…) & Regional Data Bases
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 31/90
Maltego• Maltego highlights the relationships and connection between network and
resource based units.
• It helps to discover weak points in our infrastructure caused by people and
machine interaction.
• It uses a very user friendly GUI
• Highlights links between:
• Specific persons and groups (Social networks)• Organization and Companies
• Web sites
• Infrastructures(Domains, DNS names, Netblocks, IP’s)
• Sentences, documents, files.
Id Th ft i SN
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 32/90
Id‐Theft in SNs• Identity
theft
in
SNs is
one
of
the
most
important
threats as it may affect the reputation and privacy of the user. It may take place in different ways.
• In case
the
attacker
is
able
to
take
full
control
of
the
user’s account, he may publish comments in the
name of the legitimate user, change the current password and e‐mail address. Then use the
compromised account to spread malicious s/w.
• Id‐theft may have very serious impact to user’s personal life and reputation
at work.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 33/90
Hijacking Social networks’ sessions
Blacksheep
What is Blacksheep ?
What is FireSheep ?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 34/90
Firesheep characteristics• Firesheep targets
26
online
services,
and
includes many popular online services such as
Amazon,
Facebook,
Foursquare,
Google,
The
New York Times, Twitter, Windows Live,
Wordpress and Yahoo.
• The extension
is
also
customizable
allowing
a
hacker to target other Websites not listed by
Firesheep.
• It works over WiFi connections.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 35/90
Firesheep steals SNs session cookies
• Firesheep uses a packet sniffer to intercept
unencrypted cookies from certain websites (such as
SNs Facebook and
Twitter)
as
the
cookies
are
transmitted over networks, exploiting session
hijacking vulnerabilities.
• It shows
the
discovered
identities
on
a sidebar
displayed in the browser, and allows the user to
instantly take on the log‐in credentials of the user
by
double‐
clicking
on
the
victim's
name.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 36/90
Stealing the cookie info• As your browser swaps cookie information back and
forth with the Website a third party can hijack that
communication
and
capture
information
including
your user name and session ID. Typically, the cookie
will not contain your password.
• But
even
without
your
password,
the
fact
that
Firesheep has got your session cookie means that a
hacker can access your account and gain virtually
unrestricted
access.
If
the
hacker
got
your
Yahoo
Mail cookie they could read and send e‐mails.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 37/90
BlackSheep countermeasure
• Black Sheep is a Firefox plugin designed to
combat Firesheep.
• BlackSheep drops ‘fake’ session
ID
information on the wire and then monitors
traffic to see if it has been hijacked.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 38/90
Faceniff mobile phone sniffer
A similar tool called
Faceniff was released
for Android mobile
phones.
See relevant video
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 39/90
Instant upload to• If
you
access
Plus
using
your
Android
phone, photos and videos you take are
automatically
uploaded
to
Google’s
cloud
via
a new tool called Instant Upload.
• Photos aren't shared by default, but are
stored on
a private
Picasa Web
folder
for
future sharing.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 40/90
The SN is a tree.
Two users has a max of
6 persons distance.
The whole world is very
small finally.
Not difficult to become a friend
with the
target
The tree
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 41/90
Then initiate an attack...
Social Network on your Iphone !
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 42/90
Social Network on your Iphone !
What is Geo Tagging ?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 43/90
What is Geo Tagging ?
Geo Tagging is the process
of adding geographical
identification
metadata to various media such as a
photos, videos, websites,
SMS messages,
etc.
Any use of geo tagging ?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 44/90
Any use of geo tagging ?
• Geotagging can help users find a wide variety
of location‐specific information.
• For instance, one can find images taken near a
given location by entering latitude and
longitude coordinates
into
a suitable
image
Search Engine.
G T i
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 45/90
Geo Tagging concerns
• Smart phones may allow someone with the
necessary technical knowledge to find where
you are
on
every
moment,
with
a few
simple
clicks?
How to Disable Photos
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 46/90
How to Disable Photos
Geotagging on Your iPhone• Click on settings
• Go to
the
general
section
• Location services
• Turn
them
off
Location Based Services (LBS)
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 47/90
Location Based Services (LBS)
• Update the location privacy settings on your phone, SNs and the applications you use.
•Social Networks with geotagging facility ON may
allow some intruders to link information about you
more easily.
• If
needed
limit
people
who
are
able
to
use
and
see
network location services in your SN profile.
• Do you really need LBS ? Someone may connect the
pieces of
information
related
to
your
activities,
and
lead to problems.
Li it i i k
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 48/90
Limit your privacy risks• Don't geo‐tag your residence, your friends
house and children photos.
• Never include
GPS
coordinates
in
your
tweets, blogs or SN Accounts.
Interesting video from CNET
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 49/90
Interesting video from CNET
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 50/90
Facebook security
and
privacy
issues
Part of Facebook profile data
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 51/90
p
is visible
to
everyone
!!!
• Facebook discloses information that it sets as
visible to everyone and that you cannot make
private.
• This information may include sensitive for you
information like
your
name,
profile
picture,
gender and networks.
• So before you publish think twice.
Privacy issues
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 52/90
Privacy issues• You
also
don't
want
to
reveal
the
city
or
town
where you live, what your daily routine is, or
anything that will make it easy for anyone
reading your profile to find you in the real
world.
• You also
don't
want
to
reveal
your date of birth or informa‐
tion about your family.
One of FaceBook’s basic problems
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 53/90
One of FaceBook s basic problems
• Facebook relies on third party Java applications, so that the user is not only entrusting Facebookwith her/his login and password but also must trust
the
third
‐party
applications
that
provide
tools for Facebook users.
• There is a potential danger that the code you're
running on
the
site
is
malicious
or
points you to a site that contains
malicious code.
FaceBook Applications
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 54/90
FaceBook Applications
• Facebook granted programmers free
access
to
the
Facebook platform in May 2007, meaning that anybody with the necessary skills could create an
application, so that the number of Facebookapplications
has
grown
impressively.
• Facebook lets you add applications and tiny programs that run inside Facebook itself.
• Facebook applications are
small
programs
that
work
inside Facebook. They're similar to Web browser plug‐
ins (like video players) in that they let you do
something you couldn't do before you installed them.
• They're easy
to
install
and
appear
on
your
Applications menu.
Id theft and Bad reputation
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 55/90
Id‐theft and Bad reputation
• You also need to be aware if someone have made
a profile using your name and contact information without your knowledge.
• This individual
can
go
on
to
post
messages
and
make statements in your "name" that will be
attributed to you.
• Make a Google
search
typing
your
own
name
on
a regular basis, or run automatic monitoring tools
to be informed if such event happens.
• Review each
one
to
ensure
that
they
are
pages
you registered for.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 56/90
Best Practices
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 57/90
Best Practices
• Think carefully about who you allow to
become your friend. Friends may see most if
not all
of
your
profile
data.
• Assign to a few people only, ‘full friend
privileges’ (being able
to
access
all
your
full
profile data). To the rest assign ‘limited
friend access’.
• Activate security
features
in
your
profile.
Check what you allow to be visible
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 58/90
Check what you allow to be visible
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 59/90
How to connect in a secure way ?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 60/90
• When you connect to your Facebook profile, someone may hack your credentials (email –
password).
A
hacked
profile
may
completely
damage your image/reputation or even your company brand name ... !!!
• So
you
need
to
find
how
to
make
your
profile
more secure.
• First step: Connect in a more secure way. Use
https.
How
can
you
activate
this
feature
of
Facebook ?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 61/90
Click on security TAB
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 62/90
y
Select Secure Browsing and check
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 63/90
Select Secure Browsing and checkBrowse
Facebook on
a secure
connection
(https)
when
possible
Click and ... you may now connect
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 64/90
Click and ... you may now connect
in secure
https
mode
But are you really secure ?Whil l i i SSL i h i i
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 65/90
• While you can log in via SSL, once in, the session is
unencrypted and session
‐stealing
a Facebook connection
is
pretty easy (check Nick Barron articles).
• Several people have tried in the past and in most cases they
failed to
get
sensible
action,
having
reported
security
vulnerabilities.
• Facebook's security model has a lot of holes.
• Recent
errors
have
temporarily
revealed private chat sessions
to the public, and that it is
almost impossible to truly
delete data from
a Facebook
account.
Controlling your Facebook logins
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 66/90
Receive notifications for logins via SMS
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 67/90
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 68/90
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 69/90
Can you remove the tags ?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 70/90
• You control
who
can
see
photos
‐videos
you
are
tagged in, that appear on your Profile.
• But, the owner of the photo can still share that
photo
with
people
you’re
not
friends
with.• If you don’t want your tag to
appear, remove it from
the
photo‐
video.
This
will
also prevent it from appea‐
ring on your Profile.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 71/90
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 72/90
Make a back up of your FB profile
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 73/90
• What if your Facebook account was suddenly disabled?
This has happened to hundreds of users for various
reasons. E.g. Facebook password forgotten and Email used
password
hacked.
• Or when opening a second FaceBook Account using
the same Email address…
• To avoid
this
unpleasand situation
download
and
backup your Facebook data.
• A simple way to backup and archive your information
is by
using
the
Archive
Facebook Firefox extension.
Someone has hacked your FB profile and
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 74/90
changed
your
email• You can also get to know the new email id by
asking any of your Facebook friends to goto
your profile
and
look
for
your
id.
(In
case the hacker forgot to hide it from profile).
• Use your security question to reset your
password.
• In case you didn’t setup any security question
on your account previously, you can ask your friends
to
verify
you
account.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 75/90
More security
features
Hackers are waiting in the corner...
Log in at www.facebook.com• Sometimes scammers will set up a fake page to look
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 76/90
p p g
like a Facebook login
page,
hoping
to
get
you
to
enter
your email address and password.
• Make sure you check the page's URL (web address)
before you
enter
your
login
information.
• When in doubt, you can always type "facebook.com"
into your browser to get back to the real Facebooksite.
• Remember if you Logged
once your browser there
is no need to log in again
(cookies do
the
rest).
What are the Active Sessions page?
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 77/90
• It shows
you
a list
of
the
recent
times
you've
accessed
your Facebook account.
• Each entry includes the date and time you signed into
Facebook, your
approximate
location
when
signing
in,
and the type of device you were using to access your account. You will also see the option to end any active
session on the right side of each entry.
• Note: The location you see is based on the IP address used to access your account. If you want to know the
specific IP information of a login, simply hover your
mouse over
that
session’s
location
data.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 78/90
Compare people
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 79/90
A
not
so
innocent
Facebook application
Votes on yourself... from other people,
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 80/90
you may
even
don’t
know...
Joining a Facebook group
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 81/90
• In similar fashion, joining a Facebook group
may
get
you
more
than
you
bargained
for,
granting other members access to your data.
• Be extremely careful, before you join the
group. Check
its
reputation,
beforehand.
Some methods to attack FB accounts
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 82/90
• Keylogging.
• Facebook phishing.• Virus.
•Social engineering.
• Primary email address hack.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 83/90
Facebook phishing (an example)
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 84/90
An attacker
uploads
a fake
version
of
onto a server and they send you a link to that
site. Once you try to log on, it will email your
username and password to the attacker.
An example : http://fb12.t35.com/login.html.
Social engineering
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 85/90
• If the
attacker
knows
your
address
he
tries to figure out your security question.
• He may ask the question and try to determine
the answer
to
the
security
question,
especially
if it’s something as simple as mothers maiden
name.
• Once he has the answer to the security
question he will try to reset your password.
Primary email address hack
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 86/90
• All they have to do is gain access to your email.
• Then they will easily be able to hack the
facebook password.
• Just they go to facebook and enter in ‘forgot
password.’ It
will
to
the
primary
facebookemail instructions on how to
reset the password.
To Hack Any Account In Seconds
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 87/90
• FireSheep hi‐ jacks other peoples session. In order to
break into someones account just open up FireSheep, click ‘Start Capturing’ and it will list all the users in your
network that
are
currently
logged
on.
• Sites like GMail, Yahoo and Facebook will most likely
appear.
• It steals session cookies . From there you can do what ever
you
want.
• Post on the wall, message someone, or if you wanted
even change the password. All this without me ever
knowing
what
the
old
password
was
and
without
leaving a trace.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 88/90
Recommendations
B f l h li ki li k th t i
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 89/90
• Be careful
when
clicking
on
links
that
you
receive
unexpectedly from your friends.
• Only download software from websites you know and trust. Always check and verify the URL before opening the link, eg.
by using
WOT
(Web
of
Trust)
Firefox Extension.
• Enable a firewall on your computer.
• Make sure you have an up‐to‐date web browser equipped
with an anti‐phishing blacklist.
• Use up
‐to
‐date
Antivirus
s/w and
get
the
latest
O/S
updates.
• Make sure you’ve setup a security question on all of your online accounts. This will come in handy if you ever lose
access and need to prove who you are.
7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 90/90