Facebook top 10 concert lists may be security risk

Comparing lists on social media of the top 10 concerts you have ever attended seems like a harmless enough pastime.

But there are warnings that the recent Facebook craze could actually be a risk to our online security.

The first gig you went to is often one of the security questions which banks and other organisations ask when setting up an account - and revealing that information online, even in an innocent online post, could make you more vulnerable to hackers.

"I wouldn't do it," said Prof Alan Woodward, from the University of Surrey.

"But it's difficult to tell people not to take part, as it is part of their social interaction and has become the norm.

"What I would say is to think very carefully about what you are putting into the public domain."

Prof Angela Sasse, director of the UK Research Institute in Science of Cyber-security, said she feels that the companies are to blame for any security breach rather than individuals.

"The risk is not so much publishing these lists, rather that somebody thinks it is a good idea to use questions like that as security credentials," she told the BBC.

"Companies are violating the security principle that the way of authenticating people should be private - such as a password or Pin number - rather than something that is publicly available."

People are often warned not to post their holiday photos on social media sites in case it alerts potential burglars to the fact that their house is unoccupied.

However, Prof Woodward said it is very difficult to prove if homes are targeted as a result of people showing their friends a picture of themselves on the beach.

"It is practically impossible to correlate numbers of burglaries of holidaymakers who are active on social media - but what is clear is the more personal information you put out there, the more is likely to be used by hackers."


'Not stupid'

There had been some suggestions that the concerts question had been set up by the criminal underworld, but Prof Woodward dismissed that theory.

He told the BBC: "This is not something that cyber-criminals would concoct - but they are not stupid and they will see the potential in it.

"It is better for them to co-opt on to something that is part of the mainstream rather than produce something new, as people tend not to trust new things."

You might think that turning up your Facebook privacy settings may eliminate the risk in sharing a list of your favourite gigs - but Prof Woodward is not so sure.

"How do you know the list you are responding to actually comes from who says it comes from?" he said.

"You think you know who are you talking to but you can't be 100% certain. If my email account gets hacked, my friends get emails apparently from me asking for some information. The same sort of thing could potentially happen with these lists."

Prof Sasse added: "The privacy settings are too complex and when privacy policies change, people often have to do it all over again which doesn't help them."


Facebook's top six security tips to keep your account safe:

  • Protect your password
  • Use Facebook's security features
  • Make sure your email account(s) are secure
  • Log out of Facebook when using a shared computer
  • Run anti-virus software on your computer
  • Think before you click or download anything

Source: Facebook


Security for online accounts is becoming more sophisticated, however, and Prof Woodward said there are easy ways for people to improve their personal safety on the web.

"One thing banks and other companies can do is get you to specify the question you need to answer to access your account, rather than using stock questions.

"Two-factor authentication is an obvious way of making accounts more secure. A lot of banks make it available, but not everybody turns it on - in some cases it is only an option, but I think it will increasingly be there by default.

"People should also use a password manager that will generate proper strong passwords which will also mean they are not using the same password for their accounts.

"The best password is one you can't remember."