TALKING TECH

Be careful before posting about your 10 concerts

Jefferson Graham
USA TODAY

LOS ANGELES — Before you join in with the social media crowd and let everyone know about the first concert you attended, you might think twice — hackers would love to have this information.

This week, one of the most popular Facebook memes had people asking friends to figure out which of 10 concerts they didn’t really attend, and they’ve often been accompanied by a note about the first concert they ever saw.

This is a common security question, along with the name of the street you grew up on and your first job — and it’s the sort of information that hackers can use to break into your online ID.

“I typically advise people not to answer those questions. It’s not worth it,” says Tom Gorup, director of security operations for Rook Security in Indianapolis.

He believes the Facebook meme probably started as good-natured fun — like the recent Ice Bucket Challenge for charity — but as it grew in popularity, it could signal to hackers that good, readily available online information was there for plucking.

Facebook is vowing to shut down "information operators" after a new report from the social media giant acknowledged that its platform was exploited by governments and other interests to manipulate public opinion, including during the presidential elections in the U.S. and in France.

In fact, a Rochester, NY-area DJ, Tommy Casserino, says he's the one who started the posts as a way to cut down on all the negativity posted on social media.  "I was sick and tired of going on Facebook and hearing all of the negative posts, everybody hates people," he said, according to the Rochester Democrat and Chronicle. 

But now that it's out there, Facebook users should be worried if they're sharing a lot of information on a public setting.

“If I’m a hacker, I’m taking full advantage of this,” says Fatemeh Khatibloo, an analyst with Forrester Research. Her advice — delete the concert posts today or set them to private. “Don’t make those kinds of answers about your life public.”

Banks and other financial institutions often use security questions to guarantee your identity. Experts say don’t answer them. Opt for an impossible to answer password instead.

“A bank asks to know my mother’s maiden name — spend 10 minutes online and you can find it out,” says Emmanuel Schalit, CEO of Dashlane, a popular password manager. He instead generates a password of numbers, letters and symbols that would make no sense to anyone, and stores it within his Dashlane manager. “This will never be guessed by anyone, because it can’t,” he says.

Andy Williams, a New York-based photographer, said on Facebook Saturday that he deals with security questions by answering with lies.

"First kiss: Farrah Fawcett", "Favorite Color: polka dot", Street You Grew Up On: banana", "Mother's maiden name: thermostat."

Finally, not everyone is spooked.

“I just don't think most of us are that stupid to post something publicly that would be an answer to a security question,” said Theresa Corigliano, a Los Angeles writer, on Facebook Saturday.

“I think we’re all getting a little paranoid,” says Per Thorsheim, a Norway based security expert. “People said you should never post on Facebook that you’re going on vacation and when you’re coming back, because someone will read that and come clean you out, but I do it all the time, and I have had no problem posting vacation photos.”

Follow USA TODAY's Jefferson Graham on Twitter, @jeffersongraham, and don't forget to subscribe to the daily #TalkingTech podcast on Apple Podcasts and Stitcher.