/ Technology

Through the hacker’s eyes: how to be secure on social media

Our investigation into ID theft saw information from social media sites used to obtain a credit card under false pretenses. Ken helped us mine the user profiles – here are his tips for preserving your privacy online.

Social media sites make it easy to update friends and family on what’s happening in our lives. But that same information could be used against you. User profiles typically document names, birthdays, hobbies, family members, when and where you went on holiday, and where you live and work.

This presents a mine of information to hackers that could be used to impersonate you, running up debts in your name, hacking your bank account or destroying your online life.

So here are my easy-to-do tips, so you can stay secure on social media:

1.  Activate privacy settings

Double check that your profiles are private, so that you have control over who can see your information. Social media networks have improved their privacy settings but these are often opt-in. You can manually adjust your settings on your profile page, restricting who can see your posts, photos and user profile, and it’s even possible to restrict the visibility of past posts.

Bear in mind that social networks often make money from your data, so they don’t always make securing your profile that easy. It’s not just Facebook, LinkedIn and others – don’t forget older social networks – they might be out of fashion, but your data may still be on them.

2.  Be choosy

Go through your friends list and make sure you personally know all of them. Avoid tagging people in photos to help protect others’ identities. Be suspicious of friend requests from people you don’t know, even if they say they know family or friends or met you in a location you know. You could look at creating a separate work and personal profile.

3.  Be selective when posting

Think about what information you are sharing. An innocent birthday photo could tell hackers when your birthday is, even if you have obscured this information in your profile. Think about whether posts divulge a place or event (such as your front door in the background of a photo) and deactivate geolocation settings. If you’re far from home, an attacker might just decide it’s an opportune moment for a burglary.

4.  Maintain your machine

Use and update anti-virus or security software for both fixed and mobile devices. Protect access to your mobile and tablet by setting up a PIN. Otherwise, if your device is lost or stolen, your social media account could easily be hijacked and the attacker can masquerade as you, potentially compromising not just you but also your friends and family.

5.  Think physical as well as virtual

Ensure you are on the edited version of the electoral roll to prevent hackers from obtaining your home address. Shred or burn physical documentation to avoid personal details being stolen from your bins – many organisations ask for a utility bill as proof of address

Has your social media profile ever been compromised? Have you ever suffered from ID theft? Do you have any further advice to share?

Which? Conversation provides guest spots to external contributors. This is from Ken Munro, a senior partner at Pen Test Partners, the ethical hackers who helped us in our investigation. All opinions expressed here are Ken’s own, not those of Which?.


Ken suggests that we use and update security software for both fixed and mobile devices. I know what to do with my laptop and desktop machines but I haven’t a clue about how to keep an iPhone secure, other than by keeping the operating system and apps up to date.

I doubt that I am the only one who is waiting for Which? to give us advice on how to keep our mobile devices secure.

I have used Kaspersky on my desktops and laptops for many years with no problems. I know they do mobile phone security although I haven’t used it but would do so if I decided to use my mobile on the internet.

Thanks Alfa, but Kaspersky don’t offer a product for iPhones.

If you Google ‘iPhone security’ you’ll find some useful tips on screen-locking, private browsing, passwords, etc. – but not so much about anti-virus type products.

Most techies agree that iPhones and iPads don’t need any such products – in the real world there just aren’t any threats to Apple devices.

It’s a different story with other operating systems – Android and Windows phones/tablets are vulnerable to loads of attack methods.

Rerun your Google search replacing ‘iPhone’ with ‘Android’ and you’ll see what I mean – plenty of security products on offer ……..

bib1, Think where Apple are winning here is that apps are vetted before going onto the AppStore, so the only way you’ll get isses with their apps is if you download them from other places.

Android just let anyone post apps and there in lies the problem.

FYI that used to be the case not sure if it still is.

Thanks both. I’m not too worried because the only financial transactions I’ve made on the phone is to buy the odd app. My banking etc is done on on a computer, which is protected.

Just a piece of an article on mobile phones:

“Why Your iPhone Will Inevitably Catch A Virus – ReadWrite – Mozilla Firefox

” Not that Apple’s iOS is in the clear. While Apple’s closed approach to development makes it a harder target to crack, this same secretive approach makes it dramatically more vulnerable once iOS’ security is hacked.

And it will be, according to Kaspersky, as he told The Wall Street Journal:

[T]he most dangerous scenario, I am afraid, is with iPhones. It’s less probable because it is very difficult to develop malware for iPhones, because the [operating] system is closed [for outside programmers]. But every system has a vulnerability. If it happens-in the worst case scenario, if millions of the devices are infected-there is no antivirus, because antivirus companies don’t have any rights to develop true end-point security [for Apple].

In other words, there’s no problem until there’s a problem. And then the problem is huge.”

The celebrity photo hack recently shows that all is not perfect in the Apple world.
” Some security experts have faulted Apple for failing to make its devices and software easier to secure through two-factor authentication, which requires a separate verification process after users log in initially.”

Yeah, spot on.
It’s Apple’s control of iOS apps that keeps them secure.
Doesn’t matter where you download your apps from – you can’t install a non-Apple-approved app unless you have ‘jailbreaked’ your iPhone/Pad.

Android-world is a free for all, just like Windows – and that route just leads to more revenue for the anti-virus vendors.


Call me an grizzled-old-cynic but ….. Eugene Kaspersky makes a loada dosh out of poorly secured software.
Kaspersky said, “because antivirus companies don’t have any rights to develop true end-point security [for Apple]”.

Do any independent security experts agree with him?

Also, I though the iCloud ‘celebrity photo hack’ was just a case of weak, easily guessed passwords?
There were no claims that Apple’s security was breached – unless of course, you read the Daily Express ………

@bib1, The photo hack was partly due to weak passwords but mostly down to Apple’s system. Apparently you could keep trying passwords over and over again without hitting any barriers so any brute strength attack was sure to break through.

I gather that Apple have added things to slow such attacks down now, horse, stable door spring to mind.

Thanks for the correction – my bad.
I hadn’t realised before that the photo hack was through Find My iPhone which allowed unlimited password attempts (now limited to 5 attempts before locking out).

Hi everyone, we’re currently testing mobile security apps. We’re due to have a print report out by Jan 2015, with results online around 15th December. But in the meantime, we do have some info online about mobile phone security: http://www.which.co.uk/technology/phones/guides/mobile-phone-security/

Your point 3. although for many is blindingly obvious, too many people don;t think when they post.

A fairly well known celebrity posted a photo on twitter a few months back thanking a group of people who helped her outside her house. Sadly there was enough info in that photo to work out exactly where she lives down the the street name and number. Thankfully she’s now removed it.

Another celebrity posted a photo of a PETA lawyers letter she’d just received, with her name and address not redacted. Luckily within 30 mins after several people replied telling her, she removed it,

So please please take care with your posts.

Twitter – many people do not have great judgement as shown by william’s example, and I cannot see that it will ever be possible to educate everyone on the problems of leaping to Twitter to vent feelings or cause offense.

If you are an investor following the travels and new friends of a company’s sales force it can be interesting if not really conclusive. LinkedIn being the primary source. Essentially if you have a web presence privacy is very difficult to maintain. Even what your spouse of children do can reveal details about you indirectly.

Sophie Gilbert says:
23 October 2014

No 6. Don’t have a social media account. You don’t need one.

As Sophie suggests you don’t need them ….




There is a lot of pressure on people to use social media which may be convenient if you are an organisation but the downsides perhaps have been obscured. Commercial pressures where people can make money from the public once they are hooked is a very powerful force.

renniemac says:
26 October 2014

I do have a face book page , but it is only open to people I know, I don’t accept friend invites from people I don’t know. I am very security conscious because of banking and such like. you don’t want just anybody to access your page. be careful. don’t put in info that can be used, school, job dob as stated by which, the less info about you out there the less chance of being hacked. also don’t wait for anti-virus software to do routine scans, do some full computer scans manually. it doesn’t take long and gives piece of mind. on a final note, I believe all hackers small or large should automatically carry a prison stay. lets face it, if it wasn’t for hackers there would be no need to buy anti- this or that.


Just to remind us that paying tax is for mugs. Another reason for avoiding social networks and making them seem important..

One thing that has not been mentioned is deleting flash cookies. These supposedly store a lot more info than normal cookies.

As you travel round the internet, you are being tracked, ads targeted at you etc. Before I login or purchase anything I always delete all temporary files, cookies and flash cookies.

You can also stop flash cookies being stored on your pc from the macromedia website.

Depending on your browser you can always just use the incognito or private browsing setting


Just to show how much thought goes into these “essential” devices. Given the cost and the miserly benefit can we please have a campaign from Whch? to nail it dead.?!!