IT security firm Sophos has announced its latest probe into how easy it is to steal identities via Facebook and found that user negligence is worst in 2009.
"We assumed things would be better in 2009 but the situation is worse. This really is a wake-up call," said Paul Ducklin, head of technology, Sophos Asia-Pacific (Sydney).
Ducklin, who led the Facebook probe, said they created two fictitious users with names based on anagrams of the words "false identity" and "stolen identity." He said 21-year-old "Daisy Felettin" was represented by a picture of a toy rubber duck bought at a US $2 shop; 56-year-old "Dinette Stonily" posted a profile picture of two cats lying on a rug. Each sent out 100 friend requests to randomly-chosen Facebook users in their age group.
Within two weeks, a total of 95 strangers chose to become friends with Daisy or Dinette -- an even higher response rate then when Sophos first performed the experiment two years ago with a plastic frog. Worse still, Ducklin said, in the latest study, eight Facebookers befriended Dinette without even being asked.
Ducklin said 89% of the 20-somethings and 57% of the 50-somethings who befriended Daisy and Dinette also gave away their full date of birth.
"Nearly all the others suppressed their year of birth, but this is often easy to calculate or to guess from other information given out," he said, adding that even worse, just under half of the 20-ish crowd, and just under a third of the 50-ish crowd, gave away personal information about their friends and family.
"People aren't just handing over their own life story to criminals," Ducklin commented. "They're betraying people close to them too, by helping those cybercrooks build up a detailed picture of their life and their milieu. This is an identity scammer's dream."
Sophos is calling on users of social networking sites to think much more strictly about what it means to accept someone as a friend.
"We're not trying to be killjoys," Ducklin explained. "We just want you to be much more circumspect about whom you choose to trust online."
Graham Cluley, senior technology consultant for Sophos, revealed that 10 years ago it would have taken several weeks for con artists and identity thieves to gather such kind of information about a single person. "Social networks have made it easier for the bad guys to scoop up information about innocent members of the public. Everyone must learn to be more careful about how they share information online, or risk becoming the victims of identity thieves."
Sophos produced the following top tips for users who want to protect themselves from identity thieves on Facebook:
- Don't blindly accept friends. Treat a friend as the dictionary does, namely "someone whom you know, like and trust." A friend is not merely a button you click on. You don't need, and can't realistically claim to have, 932 true friends.
- Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don't give away too much too soon.
- Assume that everything you reveal on a social networking site will be visible on the internet for ever. Once it has been searched, and indexed, and cached, it may later turn up online no matter what steps you take to delete it.
"Our honeymoon period with social networking sites ought to be over by now -- but many users still have a 'couldn't care less' attitude to their personal data," Ducklin added.
This story, "Facebook Still a Hotbed of Identity Theft, Study Claims" was originally published by Computerworld Philippines.