How to secure your personal information by being smarter online.

With so many social platforms, it’s easy to share information without realizing you may be sharing too much. In today’s world, you can pretty much find basic information like age, gender, and general location of anyone that has a digital presence. And for those that are careless with their social accounts, you can learn much, much more.

Over the last decade, what’s called open-source intelligence (OSINT) has become a very popular way to gather data on individuals or organizations. OSINT is the practice of collecting and analyzing publicly available data on an individual or group in order to obtain information and other details related to the person or group.

The key to effective OSINT is gathering multiple data points and being able to put those pieces of data together to derive information about the target.

While OSINT is used for good, for example, to help law enforcement solve criminal cases or help organizations defend against cyber threats, it’s also used by the malicious individuals behind the cyberattacks.

This is why it’s so important to be hypersensitive to the data you expose to individuals and on the internet. Even if you think a piece of information can’t do you harm, it’s might serve as a data point in the event someone is performing OSINT on you.

In this article, I’ll be discussing three ways you can improve the security of your personal information and ensure you don’t put yourself at risk of falling victim to cyber crimes like identity theft and fraud.

Don't overshare on social media

As I mentioned, it’s become all too easy to overshare on social media. Many of us don’t hesitate to post pictures of our night out at a good restaurant or a weekend getaway and use the geo-tag feature to share our exact location.

While you can argue it’s not public information if you have robust privacy configured on your profile, nothing you put on the internet is 100% protected from being publicly exposed. When a friend or connection comments or likes your post, it might show up in a mutual friend’s feed, exposing your post to someone you aren’t connected with.

This might not seem like a big deal, but it’s just one example of how something you post on your profile can be seen by someone who doesn’t personally know you.

In addition to that, it’s also important to be conscious of the type of information you’re making available to anyone on the internet.

Have you ever seen those viral Facebook posts asking people to comment their pet's name or the model of their first car? Did you ever stop to consider that these pieces of information are also common security questions required to reset your password? The thousands of comments that are posted in response to posts like that are like a gold mine for malicious individuals.

Not only does sharing too much on social media put you at risk for being a victim of a hacked account or identity theft, but it also makes you a perfect target for social engineering.

If you’re constantly taking to platforms like Twitter or Facebook to write about what’s going on in your life, social engineers can take advantage of that information. As I mentioned, OSINT methodologies have made it much easier to piece information together so it can be used to pose as you or compromise your accounts.

When it comes to social media, the less you share the better. It’s best to consider anything you post to be public, so if the post you’re about to share isn’t something you’d want the whole world to see, don’t publish it.

Don't enter sensitive information on insecure sites

Another way that individuals inadvertently expose their personal information is by entering it on sites that aren’t secure. Without getting too into the weeds, there are generally two web protocols a site can be operating on: HTTP or HTTPS.

HTTPS is the more secure successor of HTTP and the S actually stands for Secure! When a site uses HTTPS to communicate between your device and the backend web server, all of the traffic being sent back and forth is encrypted.

Without this added security, the data being sent back and forth is cleartext and can be seen by anyone eavesdropping on the traffic. This obviously isn’t a good thing, especially if the site processes authentication requests, online payments, and any other data like social security numbers, bank account numbers, healthcare information, etc.

So how can you tell if a site is using HTTP (insecure) or HTTPS (secure)?

Always check for the little padlock icon in the address bar prior to entering a username and password, providing payment information, etc. In any browser, a site that’s secure will have a locked padlock to the left of the URL:

When a site isn’t secure, most browsers will highlight this by replacing the padlock with a “Not Secure” message:

Another way to check is by double-clicking into the address bar after a site loads. This will show the full URL including the HTTP/HTTPS prefix:

If you’re ever in a situation where you’re about to fill out personal information on a form, set up an account, or provide payment information and notice the site isn’t secure, don’t proceed! Treat this as the equivalent of throwing out a credit card without cutting it up or throwing away sensitive documents without shredding them.

Any information you enter into an insecure site is at risk of being stolen so it’s best to avoid it at all costs.

Never share a password or multi-factor token

Continuing the theme of ways to protect your sensitive information, the last tip is related to passwords and multi-factor verification codes. Many tech professionals take this as common sense, but unfortunately, people share passwords all the time. And I’m not talking about your Netflix or Hulu password because I can relate to that.

I’m more referring to situations like this Jimmy Kimmel experiment that went viral back in 2015:

When asked, people provided their passwords without hesitation or said things like, “it’s my cat's name and a number”, then proceeded to say what their cat's name was and the number they used.

What many people fail to understand is that your passwords are similar to what your social security number is to your identity. Being careless with it along with multi-factor tokens puts your accounts at risk, which is why it’s so important to be mindful of the information you’re giving away.

Oftentimes, malicious individuals don’t gain access to accounts by “hacking their way in”. They pose as someone people trust and convince individuals to share their password or MFA verification code with them.

This happens all too often in scenarios where the malicious actor is posing as tech support. We tend to blindly trust people we think are trying to help us, but even in these circumstances, technical support should never ask you for your password. If they do, that’s a red flag for sure.

With the rise in MFA (multi-factor authentication) malicious actors are leveraging similar social engineering techniques to get people to provide their verification codes. Like your passwords, your MFA tokens are yours and only yours. They’re not codes you should provide to anyone under any circumstances.

Moral of the story? Don’t share your passwords or multi-factor tokens with anyone!

The digital age we live in has made it all too easy to share information with one another, but we can’t let our guards down. It’s become increasingly important to safeguard our personal information and take precautions to protect ourselves.

By keeping the below three things in mind as you’re surfing the web, posting on social media, or paying bills, you can ensure you’re using the internet safely and protecting your identity, accounts, and other sensitive information:

• Don’t overshare on social media — avoid posting anything you wouldn’t want the entire world to see because once it’s online, it’s there forever.

• Don’t enter sensitive information on insecure sites — always check that the site you’re using has a padlock icon in the address bar or is preceded with https:// and not http://. If it’s showing as “Not Secure” avoid entering any passwords, payment information, etc.

• Never share passwords or multi-factor tokens — under no circumstances should someone ask you for your password or multi-factor code, especially when dealing with technical support or customer service. Treat these things like you do your social security and bank account numbers.