Securing LinkedIn - Atleast to safeguard your connections

LinkedIn can be unethical hackers' treasure, and can lead to loss of private data and does pose a serious threat to organization's security. It can also be used by unethical hackers to spread malware. In recent news, unethical hackers/criminals created fake accounts pretending to be recruiters, and gained access to personal information. Criminals can launch phishing attacks using mail address. Gaining access to one host, can compromise several hosts within the network and organization. So, one can imagine how critical an email address is.

With rising cyber espionages, one has to be careful with whom you connect and share information. To safeguard connections, one has to ensure that they safeguard their own account. One account breach can spread malwares to all your connections, and can have a devastating effect to several other organizations.

Here are some of the things one can do to understand and add security. These are just my views and suggestions.

Strong password

This is a fundamental step to safeguard your account:-

  • Reset password every few months cannot do harm
  • Avoid using dictionary passwords
  • Use password with length of 10 or more characters, with special characters, upper-case and numbers
  • Avoid using same passwords as used in other sites
  • Avoid writing down your password

This ensures the worst case where unethical hackers manage to get encrypted credential dump within LinkedIn, and it would be very difficult to crack the password.

Enable 2 Factor Authentication

Even if one has a strong password, unethical hackers can gain password of your account. 2FA (Two Factor Authentication) helps mitigate unauthorized access, by adding another form of verification. This method requires a numeric code, sent to your phone via SMS, to be entered after logging in with valid credentials. Hence, one would be notified on any malicious login attempt.

To turn on two-step verification:

  • Move your cursor over your profile photo at the upper right of your homepage and select Privacy & Settings. For verification purposes, you may need to sign in again.
  • Click the Account side tab by the shield icon towards the bottom of the page and select Manage security settings.
  • Click Turn On under the Two-step verification section.Enter your cell phone number to receive a verification code.
  • Click Send Code.
  • Once you receive the code sent to your phone, enter it into the box on the device you're using to sign.
  • Click Verify.
  • Click Done.

This mitigates unauthorized access very effectively.
Also note that some LinkedIn applications will not work. Obviously, the ones which don’t have 2FA provision.

Avoid using shared computers

Avoid or never login from shared computers. Shared computers are often infected by malwares and key loggers, and can help malwares propagate amongst connections.

One can also check currently logged in sessions, by doing the following:-

  • Go to Privacy & Settings
  • Under Your active sessions, click on See where you're signed in

Activity Broadcasts

Activity broadcasts are the ones that are shared while making changes in profile or following companies or recommending connections.
If one wants to stop these broadcast messages, then the following can be done:-

  • Go to Privacy & Settings
  • Profile tab is open by default
  • Click on Turn on/off your news mention broadcasts
  • On popup, uncheck the option Let people know when you change your profile, make recommendations, or follow companies
  • Click on Save changes to apply

Check mail addresses and contact numbers

It is not a bad habit to check if the right mail addresses and contact numbers are stored in account. To check:-

  • Go to Privacy & Settings
  • Click on Account tab
  • Check Add & change email addresses and Manage phone numbers options and verify the details

Choose who can follow updates

One can choose who can see your public updates. If one wants to disable everyone from viewing to only within connections, the following can be done:-

  • Go to Privacy & Settings
  • Click on Profile tab
  • Click on Choose who can follow your updates
  • In the dropdown choose Your connections and click on Save changes

Also, one can check who all can view activity feed(like changing photo, position, etc.. ):-

  • Go to Privacy & Settings
  • Click on Profile tab
  • Click on Select who can see your activity feed
  • In the dropdown choose any of the following:-
    • Only you - None can see
    • Everyone - I believe every LinkedIn account can see
    • Your network - I believe all connections and ones following can see
    • You connections - Only connections can see

Lookout of phishing and spam emails requesting for personal information

LinkedIn will never ask for users' sensitive personal or financial information via email.

To confirm whether or not a message is really from LinkedIn, here are couple of things to look for:

  • Message containing attachment or install software
  • Message containing a threat such as "Your account will be deleted unless you act right away.", which asks to login immediately

In recent LinkedIn fake account scams, here are few points, from a blog (How to Protect Yourself From LinkedIn-Based Scams) to detect fake accounts:-

  • Recommendations & Endorsements - Fake accounts are less likely to have recommendations and endorsements
  • Photo - When in suspicion with attractive photos, use Google reverse image search
  • Premium users - Unlikely, fake accounts will take that effort to create a premium account
  • Connections in Common - Less or no common connections are a good indicator
  • Group Activity - Fake profiles are less likely to join groups
  • Number of connections - Few connections may be good indicators. Well, talking about my connections, I dont have many. People! not to get carried away with this! ;)
  • Contact info - None or public email addresses can be good indicators

Reduce or minimize information on public profile

One can restrict the amount of information displayed on public profile by either displaying no information or reducing the amount of information, by the following way:-

  • From the menu, click on Profile
  • Choose menu option Edit Profile
  • In dropdown View profile as, choose Manage public profile settings
  • On right hand side pane, under Customize Your Public Profile; one can either choose nothing or restrict what can be displayed on public profile:-
    • Choose option - Make my public profile visible to no one
    • Or choose what information is accessible to everyone, under Make my public profile visible to everyone
  • Click on Save

Unethical hackers are always are looking for very little information.

Check who has viewed profile in private mode

LinkedIn offers an option to hide self, when visiting other profiles. To check, who has viewed your profile in private(anonymous) mode:-

  • From the menu, click on Profile
  • Choose menu option Who's Viewed Your Profile

One could see something like:-

2 LinkedIn members - This person viewed your profile in private mode

One can also anonymously visit other profiles, by doing the following:-

  • Go to Privacy & Settings
  • Click on Profile tab
  • Click on Select what others see when you've viewed their profile
  • Following multiple options are available:-
    • Disclose identity, with Your name and headline
    • Partial information, with Semi-private profile characteristics such as industry and title
    • Anonymous, with You will be in complete private mode
  • Click on Save changes

Restrict who can connect using phone number

LinkedIn mobile app can recommend connecting to a person, if that person's phone number is in the mobile phone's contact list.
Let's say person X's LinkedIn account has phone number configured as xxxxxxx, and person Y has LinkedIn mobile app and has xxxxxxx in Contact list, though not connected to X. LinkedIn will recommend Y to connect to X.

Y could be anyone who managed to get X's phone number.

To check:-

  • Go to Privacy & Settings
  • Click on Profile tab
  • Click on Manage how people who have your phone number can connect with you
  • One can choose, how they would want to be discovered:-
    • Everyone - All LinkedIn members
    • People in my 1st-degree and 2nd-degree network
    • My 1st degree connections only
  • Click on Save setting to apply changes

Besides, one can decide whether to accept or decline, anyway.

Ensure Secure Browsing

HTTPS should be enabled by default, and can be ensured by doing the following:-

  • Go to Privacy & Settings
  • Click on Account tab
  • Click on Manage security settings
  • If there is no option mentioning about HTTPS, it means that secure browsing is already enabled

There may be several other important things to consider. This is just what I discovered. The point to emphasize is how critical a LinkedIn account is for own organization and the organization of connections.

I hope this was useful.

Dinesh Gunasekar - | Tags :
comments powered by Disqus