Why You Shouldn’t Answer Facebook Posts Asking Seemingly Benign Questions

Within the past 30 minutes, three of my Facebook friends have answered posts from “Thinkarete Lifestyle”, and I about feel out of my chair. Let me explain why, and why you should not do this.

In short, these questions are designed to get you to expose little bits of information which, when they are all put together, provide enough pieces of the puzzle for an attacker to assume your entire identity.

Question 1: Only 800 seats are left in Heaven, the last three digits of your phone number determine if you get in…. what’s yours?

These days, most people use their smartphone cell number as their primary phone number. Your smartphone device is what you use to carry out your most sensitive activities — online banking, online shopping, virtual payment cards, and of course your contacts, etc. Ah, and let’s not forget your smartphone knows exactly the GPS coordinates of your home…. and your smartphone knows when you are not at home.

Why is giving just the last three digits a big deal?

Because your area code and prefix are not hard to figure out. There are not a gazillion combinations, and brute forcing it isn’t hard. But that still leaves one digit unknown? Yes, but that one digit has but 10 possibilities.

And let’s not forget that the general public got your last three digits and your name, by virtue of you answering that public post.

So with your name and phone number, you are about halfway to being p0wned.

P0wned?

Yes, that is a technical term in the industry for meaning “completely owned”, or “defeated”. In the context of personal security, it means an attacker can pretty much have their way with you. You don’t want to be p0wned — it is not a good thing.

Your Smartphone is the Attackers Holy Grail

As we said earlier, you use your smartphone for all kinds of sensitive things. In addition, your smartphone also has access to your primary email account — that email address you used as the “recovery email” on all those sites? Yeah. They want access to all of that stuff. It’s the grand score of a cyber criminal targeting an individual.

But They Don’t Have My Date of Birth!

True, and kudos for being a savvy reader. In order to take over your smartphone account, they need more than just your name and phone number. Date of birth comes into play too. And that leads to the next question I saw today:

Question 2: Today your age is your age with the digits reversed… how old are you?”

This one gives your age out. So there is 1/3rd of the birthdate right there. But the birth year, that is an excellent starting point as it gives the age, and from that, the attacker can understand the general sense of the person. For example, older people tend to be more likely to fall for scams. And, older people tend to have more wealth accumulated.

Just by answering this one question, you have exposed your age which attackers will use to “profile” you and determine how interested they are in further attacks. Of course, they have your name too, since you replied to a public post.

Birth Month

Perhaps you answered a question 3 years ago regarding “the month you are born in determines how much money you will retire with… what’s your month?”

Ok, so now they have your birth month…. and perhaps a few months ago you answered a question like:

The Day of the Month You Were Born On Determines What Celebrity You Will Marry… What’s Yours

Ok, so now they have your full birthdate, along with your name and your phone number. Now they start going to work, posing as you to call your cell phone service provider, your bank, and pretty much everywhere, claiming they forgot their password and no longer have access to their email for password recovery.

Most companies these days won’t “recover” an account based on a phone call, without also providing some ID forms. Well, as it turns out when you answered those questions, the attackers also got your picture. And from your Name, phone number, etc. they will get your address.

With all of that, they can craft a very convincing fake driver’s license to send to the agent. Keep in mind, it’s a digital doc, so they don’t get to touch it, feel it, scrutinize it, etc. Any issues they mention will be attributable to “that happened when I scanned it, sorry”.

You Get It Now, Right?

The concept is simple, by answering these questions, each time you do that you give out just a little bit of your personal data. But when it is all put together, your entire identity can be stolen. That is why answering these questions is a really, really bad idea.

Seems Unrealistic — Attackers Aren’t Going to See All These Different Posts and Answers!

Except, they are. The easiest way for attackers to harvest this data is by looking at all your replies to that same poster. In today’s example, that is “Thinkarete Lifestyle”. Guess what is easy to do via the Facebook API?

It is easy to programmatically retrieve all public posts by that poster and all the comments, and then programmatically organize them and piece the answers together by a person.

And even if the questions aren’t all by the same poster, there are but a handful of the most common “companies” that post these kinds of probing questions.

Perhaps, the Site Actually Exists Just to Harvest Your Data?

I am not saying Thinkarete Lifestyle is a fake site set up just to get you to disclose your personal data bits, but I am simply saying you should consider the possibility.

Even if they mean no harm and are legit, there is no good reason to be asking these questions. Just sayin’

Another Question: What Childhood Movie Traumatized You the Most?

As I was writing this, yet another friend answered this question. While it doesn’t give very much personal information away, it does. Because when you answer it, you give your name and picture, and your answer allows potential attackers to profile you — they get an idea of how old you are by your answer. Again, older people tend to be targeted disproportionally.

Conclusion

In this article, we talked about personal data security, and why it is a very bad idea to answer public social media posts which give away bits of your personal data.

Oh No, I Already Did It! What now?

Just be more mindful and careful in the future. Think of the questions you have answered over the past, and if you think you have given enough away that you are exposed, then it would be a good idea to put additional protections on your most sensitive accounts and to “lock” your data at the credit bureaus so that no one can do a credit inquiry.

It is always a good idea to have two-factor authentication enabled for your most critical accounts. If you have already divulged bits of personal data, then I’d say it is a must.

But then again, I’d say it is a must even if you haven’t divulged any bits.