There’s a lot of interest in Pinterest now. Not only is it is a new social media channel, its approach is fundamentally different from other social media channels. It has the “sharing” quality that makes Twitter and Facebook powerful. But its focus is visual first and foremost. From focusing primarily on sharing images to the “pinboard” layout, Pinterest is a truly visual social media channel.
The revolutionary nature of Pinterest makes it exciting for Corporate marketing. There’s a real buzz and excitement to Pinterest and marketers are flocking to it to understand how they can leverage it for their industries.
Like I noted last month though, the hot new thing in social media can be scary for people in online security. Pinterest is no exception. Not only is Pinterest a new social media channel, but its primary visual focus is a new paradigm and raises all sorts of new unknowns. It’s not just online security: Pinterest’s visual sharing model is raising a new set of legal questions, as my colleague Michelle Sherman outlined a few days ago.
Even if Pinterest’s newness makes it scary, as a Corporate marketer, you can’t afford to ignore it. Part of embracing new technologies is to understand the risks that you face. And while the security world is still learning what threats and risks are around Pinterest, today I want to outline five security risks that we know about Pinterest already, and what you can do to help address those risks.
- Impersonation: Online impersonation is a common problem with new media channels. In the 1990’s it was people registering domain names belonging to brands they don’t own. When Twitter burst onto the scene, people stood up handles for other people’s names and brands. The same is happening now with Pinterest.
What you can do: Quite simply, go and secure your brand name on Pinterest as soon as possible. This is the classic example where the biggest risk is doing nothing. Pinterest is young and has no provisions right now for showing “verified” names or handles. If you don’t secure your Pinterest name now, someone may well get there first. If someone has beaten you to it and is squatting on your trademarked name, you will have to work with Pinterest to have the squatter removed.
- Account Hijacking: Account Hijacking is one of the most common attacks out there and one of the chief things you should be concerned about with all your social media channels. For example, we’ve seen major corporations Twitter accounts hijacked by hackers. Pinterest’s account security controls right now are very primitive compared to other social media channels like Facebook. For example, Facebook give you the ability to use two-factor authentication, which better protects against account hijacking. They also have more mature account recovery capabilities. Right now, Pinterest doesn’t have these. Your Pinterest account is protected by a password and your only option to recover a hijacked account is to contact Pinterest support. This means if your Pinterest password is hacked, you will lose control of your site until you resolve the situation with their support people.
What you can do: You only have one option here, which is to ensure that you create a strong password for your account. Microsoft has a good guide to picking strong passwords. Because there are no mature collaboration tools for Pinterest, like Hootsuite for Twitter, if you have more than one person handling your Pinterest board, you’ll have to share that password. Just make sure you share only with people who truly need it and that you trust. Make sure that everyone who logs into your Pinterest board is doing so from systems that are fully up-to-date for security updates and are running updated antivirus. In the case of mobile devices, ensure that you only use Pinterest’s official app (Note that as of this writing there is no official Pinterest app for Android. Any apps claiming to be that are fake and shouldn’t be used). To their credit, Pinterest does encrypt login information by default, so you don’t have to worry about making that change like with some other social media channels. The last thing that you should do to help address account hijacking is to login at least once per day, to ensure that you still have control of your Pinterest board.
- Collaborator Hijacking: This is a new risk that is specific to Pinterest. In a nutshell, a malicious user can follow your board, add you as a collaborator to their board and have their board appear on your profile. A hacker can do this to make their board look like one of your boards. Their board could include inappropriate images, scams (see #4) or even potentially viruses. This has already happened to Barack Obama’s and Starbuck’s boards. This is the biggest risk specific to Pinterest right now.
What you can do: Right now, there are no controls around who can add you as a collaborator and have this happen. When you are added as a collaborator, you will receive an email notification that you’ve been added. As a collaborator you can then remove yourself from that board. This means that how you protect yourself against this risk for now is to monitor for email notifications that you’ve been added to other boards and remove yourself as quickly as possible. Until Pinterest makes changes to this feature, you have no other options to protect yourself from this specific risk.
- Scams and Spam: It’s a sign that Pinterest is a hot topic if spammers and scammers are turning their attention to it. Trend Micro just wrote about how online scammers are now setting up Pinterest boards and impersonating major brands (in this case, Starbucks again) to lure users into tried-and-true online scams. While this isn’t a risk to your board, it is a risk to your brand and reputation.
What you can do: This is a variation of the Impersonation risk I outlined in number 1. These scammers are potentially using your brand and images on boards under their control for malicious ends. Because these are other people’s boards, you can’t keep them from setting these up. To address this risk, you first have to proactively establish a clear, authoritative presences on Pinterest (as discussed in number 1). This will help undermine the credibility of these impersonator sites as customers know to look for your logo and your products on your Pinterest board. The other thing you should do is aggressively report boards that are offering up scams and spam to Pinterest.
- Viruses: It’s not well known outside the security world, but hackers have been able to create special image files that can infect PCs with viruses when they’re viewed in a browser. They key for them to pull this off is to get their malicious image files on a web site that users will go to. Because Pinterest specifically allows users to pin images, there’s a chance that hackers will find a way to get their malicious image files on Pinterest boards. As someone managing a Pinterest board, your biggest risk around this is if an attacker is able to infect an image file on another site that you’ve linked to. This kind of attack hasn’t been seen yet, but it is risk and there’s no indication that Pinterest offers specific protections against this.
What you can do: The best way to protect against this is to not link to images outside of your control. Instead, to only use images on your Pinterest board that you own, know are safe, and that you’ve uploaded to Pinterest yourself. This has an additional benefit for you of addressing some of the legal risks around copyright that Michelle Sherman outlined in her article. If that’s not an option, then you should only repin images that are stored on sites that you can trust. In that vein, you may want to take steps to trace an image back to its original hosting site, and then decide if you trust that site. This article tells you how you can use Google Image search to find the original source. You can also use a tool like TinEye to try and locate the original source image.
Pinterest is young and evolving. It’s a mark of how young it is that it doesn’t yet even have a security and privacy settings page. As more and more people use it, and more and more security researchers uncover potential issues, you can expect that Pinterest will evolve and change. Hopefully some of these risks, like collaborator hijacking, will be gone soon.
But in the meantime, with appropriate precautions and planning, you can and should venture out and build your Pinterest presence pin by pin. Right now, the single most important things you can do are to be vigilant and keep up to date on the risks and tools Pinterest offers. That’s smart not just for Pinterest, but for all your social media websites.