THE WIRED LIBRARY | How to Keep Your Library’s Facebook Page from Getting Hacked: A PLA Podcast Transcript
Editor’s note: Our regular columnist, Dilnavaz Mirza Sharma, will be back in the next issue with a new The Wired Library column. For this issue, we chose to share a partial transcript of a podcast we recorded live at the PLA 2016 conference. Visit http://publiclibrariesonline.org/category/media to listen to this podcast in its entirety. Thank you to Erica Karmes-Jesonis and Cecil County (MD) Public Library staff members Kevin Urian, digital projects and instruction librarian, and Jessa Gillis, ebranch manager, for their invaluable contributions to this podcast.
Public Libraries (PL): Hello and thank you for joining us for FYI: The Public Libraries Podcast. Today we are recording live from the PLA 2016 conference in Denver. Our guest is Erica Karmes-Jesonis. Erica is chief librarian for information management at the Cecil County (MD) Public Library in Elkton. Yesterday Erica presented a how-to session entitled “How to Keep Your Library’s Facebook Page from Getting Hacked.” We’re going to talk to her about that topic today. Thanks for joining us, Erica.
Erica Karmes-Jesonis (EJ): Thank you so much for asking me.
PL: Can you give us a little background on Facebook hacks?
EJ: Yes, there are a variety of things. I mean, honestly, one of the things that people need to keep in mind when selecting who is going to be on the social media team for their organization is really making very wise, judicious decisions because unfortunately sometimes those hacks come from the inside, you know a disgruntled employee, or sometimes just somebody who isn’t necessarily a judicious choice in terms of high level of responsibility. So of course, you always want to make a super-good decision about who that person is going to be and giving them really good security training. So that’s step one. And then of course there are always hacks that can come from the outside. So in terms of the tips we’re gonna talk about ways to prevent that.
PL: Okay, so what happens when your Facebook account gets hacked?
EJ: Usually, you wake up on a Saturday morning and you start getting phone calls or texts of you know like, “Did you see what is up on our Facebook page? OMG.” You try to log in to your account and suddenly you can’t and you are panicking and getting in touch with the rest of your team and they can’t log in either. That’s the worst-case scenario and of course that is absolutely something that doesn’t need to happen. So Facebook is really unique in the sense that it is tied to personal accounts. So it’s unlike other social media accounts where you can have an account for your organization. You can’t do that with Facebook. So that puts your organization as a library in a bit of a quandary.
So, not only do you have to make a really good choice about who in your organization you’re going to have on your social media team it also has to be tied to their personal account. The nice thing is Facebook does give you the option for different page roles. So, there are admins, there are editors, and then there are even different page roles beneath that.
One thing that I can’t recommend strongly enough is picking one admin and then most likely the rest of your team can be editors and that will be perfectly sufficient. Why is it important to only have one admin? Well, the admin really has supreme control over the entire account. You want to have somebody be the admin that quite honestly is not logged into Facebook ever.
And why is that? It is because if that account gets compromised, if that account gets hacked, they could then boot everybody else off of the account. And that is unfortunately what happened with the ALA hack, it is what happens with a lot of hacks. So in terms of picking what would be good for that admin account you want it to be somebody who is not highly visible within the organization.
So, you know probably not your director, not your PR person. Rather, somebody who doesn’t spend a lot of time logged in, somebody who practices ultra-high security, somebody again who is extremely secure within the organization, and then the rest of the team, they can just function as editors, and that in itself would be our number one tip. They are at a much lower risk, so they can publish posts, they can see the analytics, they can do everything that they need to do and if one of them were to get compromised, then the admin could log in and clean up the trouble.
Really, our next tip apart from that is Facebook also offers the option to enable two-factor authentication. Facebook calls this “login approvals.” This is located under security within Facebook. But it is a concept that everyone is familiar with if you’ve ever used a bank card with a PIN, because there are the two factors.
Basically what it means is something you physically have and something you know within your mind. Your bank card, you have something in your hand and you have your PIN in your mind. So that if you were to lose your bank card it is very unlikely that someone who found it on the street—they couldn’t do anything with it because they don’t have the knowledge that is in your mind. So on Facebook if you enable the login approvals, the first time you log in from an unfamiliar device it will text a code to your phone and that way it just adds an additional layer of security.
If someone was trying to get in to your account it would be very difficult for them to hack in. Each person that is associated
with a library’s Facebook page can do this. So that way if for some reason let’s say, some hacker, or somebody got your password, and they’re logging in from another device, they would also have to have access to your phone, to be able to get into your account. So it adds a whole other layer, like a buffer, of security. This makes it extremely unlikely that they would actually be able to get in to your account.
One additional consideration is if you are out somewhere, like you are here at PLA conference, and you are downstairs in the hotel lobby and you want to update the library’s Facebook page and you don’t have your phone (to get the authentication code). Facebook lets you print out a sheet of ten codes and you can refresh them if you need more, that you can have in a secure location and use for those kinds of circumstances.
Another tip is the idea of using pass phrases instead of pass words. So what is the difference between those two? Pass phrases combine random words together which are really easy to remember. If you put together four random common words (i.e., correct, horse, battery, staple) it’s four random words, but it is so easy to remember. So a hack, at a thousand guesses per second, it would take 550 years to crack that. For a social media team, people that are using their phones and devices, we want them using pass codes on their phones and devices as well.
Oftentimes people know about phishing schemes via email but one thing that people often don’t know about are phishing schemes via places like chat. Programs like Outlook or websites, when you hover over the link (if you are conscientious, as all good librarians are) you can see what the link really is. However, in places like Google Chat or Facebook Chat you can’t and it has to do with the way it is coded in the background so that is really dangerous.
And so, in places like Facebook Chat you can get hacked pretty easily. I’ve known people that have gotten hacked in Facebook by phishing schemes where somebody has pretended to be Facebook staff. They use that same sense of urgency that a lot of phishing schemes will employ, saying there is something wrong with your account, we need you to go to this page.
Anytime that you are approached with that sense of urgency you need to stop. It is sort of depressing but Facebook doesn’t care about you that much. Their customer service is not that good, they are not going to get in touch with any one personally, like that proactively via Facebook chat. They don’t do that.
PL: So, if you’re getting a message from Facebook, be suspicious.
EJ: Be very suspicious. Just links in general, if you don’t know what it is Google it yourself and just be very, very cautious.