Loose-Lipped Facebookers Tell All to ID Thieves

Some Facebook users are too friendly and play too loose with necessary security precautions, concluded a Tuesday report released by computer security firm Sophos.

In the report, the company warns social network users about the dangers inherent in giving cyber-strangers access to their online profiles. Those overly trusting individuals could be disclosing information that significantly heightens the risk that their information will be misappropriated by a criminal and used to steal their identity or facilitate other identity-related crimes, Sophos said.

More than two in five, or 41 percent, of Facebook users willingly disclosed personal information, including e-mail addresses, birth dates and even phone numbers to complete strangers who had listed them as a “friend,” according to the research.

Freddi the Friendly Fraudster Frog

“Most people wouldn’t give out their details to a stranger in the street, or even respond to a spam e-mail, yet several of the users Freddi contacted went so far as to make him one of their ‘top friends,'” said Graham Cluley, senior technology consultant at Sophos.

The “Freddi” Graham referred to is a made-up identity Sophos used in its research. To conduct the study, the company set up a fake Facebook profile for Freddi Staur (an anagram of “ID Fraudster”) and depicted him as a green plastic frog. The company then randomly sent requests to 200 members of the Facebook community who had pictures associated with their profiles. The requests asked the users to share links to Freddi’s profile, a common process known as “friending.” Eighty-seven of those contacted responded and also “friended” Freddi the Frog.

“By ‘friending’ us, what those 87 people did was give us a view of their profile,” Ron Obrien, a Sophos security analyst, told TechNewsWorld.

Of that group, 72 percent revealed one or more of their e-mail addresses, while more than eight out of 10 — 84 percent — listed their full date of birth. Almost 90 percent gave details about their education or workplace, and 78 percent listed their current address or location.

When it came to giving out their phone numbers, the respondents were a little more cautious — only 23 percent listed their current phone numbers. Screen names were also handed out sparingly, as just over one in four, or 26 percent, of those ‘friended’ provided their instant messaging screen name.

Friends, Resume, Mother’s Maiden Name

Personal data was not the only content up for grabs on the site. Sophos found that in the majority of cases Freddi also was able to gain access to respondents’ photos of friends and family, as well as lists of their likes and dislikes, hobbies, employer details and other personal facts.

Many users also provided details about their spouses and partners. Several even included their complete resumes, and one had listed his mother’s maiden name — a security measure frequently used by Web sites, banks and other financial institutions to verify a person’s identity.

Another group of users inadvertently made it possible for Freddi to access their profile data by simply responding to the frog’s initial friending request with messages such as “Who are you?” and “Do I know you?”

“The typical Facebook user is just not aware of the extent to which this information can be used in a manner that is not in their best interest,” O’Brien pointed out. “I.E., right before your birthday they send you an e-greeting card that links to a Web site that is hosting a Trojan. You’re going to open that e-card because you think it is someone you know.”

“I could send you an e-mail if I know you went to XYZ College that says we had a reunion last weekend. I’m sorry you couldn’t be there. Here are some pictures you might want to see,” he continued. “You’re going to click on the link because you’re going to want to see the pictures, and that results in Trojan being downloaded to your system.

Specific Information

The problem is unique to Facebook, which adds 100,000 new users every day, O’Brien explained. The site asks users to provide very detailed information when they sign up, he said. Other sites such as MySpace also ask for personal data, but it is optional and is not searchable, while the information on Facebook is searchable. The amount of data users fill in is a vestige of the site’s original mission to provide a space online where college students could meet and mingle — essentially a digital version of the face books many colleges and universities provide incoming freshman.

“Facebook is different from other social networking sites in that they ask you for very specific information,” O’Brien said. “In the course of setting up your profile, you’re asked for information such as your hometown, your date of birth — month day and year — and other information that makes the site that much more useful in terms of other people with similar interests or similar age and activities.”

However, the Web site, which once required users to have a college e-mail account, is now open to the general public. That means the user information it stores and distributes in a huge database can be used by criminals to target Facebook users via very elaborate phishing schemes.

“Now that it is open to everyone, you need to be a little bit more aware of the extent to which you are providing people with personal information,” O’Brien advised. “It is clear this information can be misused just as easily as it can be used for purposes of making friends and expanding your social network. You have to be just as careful on Facebook as you do in a strange city.”

User Error

Although Sophos acknowledged that Facebook’s privacy features go far beyond those of its social networking competitors, the problem resides with its users who are “undoing all that good work through carelessness and being preoccupied with the kudos of having more Facebook friends than their peers,” the report states. This could have a serious impact on business security if the site is accessed in the workplace.

In response to the report, Facebook said it was pleased that Sophos recognized its advanced security features and insisted it welcomes chances to educate users on better online safety skills.

The solution for social networking users on Facebook and other sites such as LinkedIn or MySpace is to use a measure of common sense when filling out a profile, said Sophos. Just as they would not leave their wallets open and the contents strewn about on their front steps, neither should they expose essential bits of their personal information to billions of people on the Internet.

“On your Facebook profile, you’re asked to provide very basic information. That information is then published as part of your profile,” O’Brien said. “Unless you consciously go into the security settings and uncheck the box that says ‘publish my birthday,’ [it will appear in the profile].

“These things are all set by default,” he continued. “So it is incumbent upon you as the user to go into the security settings and exercise Facebook’s policy. The user is ultimately responsible for the extent to which information about him or herself is disclosed.”