IT security and data protection firm Sophos has today released
the results of its latest probe into how easy it is to steal
identities via Facebook.
Sophos created two fictitious users with names based on anagrams
of the words "false identity" and "stolen identity". 21-year-old
"Daisy Felettin" was represented by a picture of a toy rubber duck
bought at a $2 shop; 56-year-old "Dinette Stonily" posted a profile
picture of two cats lying on a rug. Each sent out 100 friend
requests to randomly-chosen Facebook users in their age-group.
Within two weeks, a total of 95 strangers chose to become
friends with Daisy or Dinette - an even higher response rate then
when Sophos
first performed the experiment two years ago with a plastic
frog. Worse still, in the latest study, eight Facebookers
befriended Dinette without even being asked.
"We assumed things would be better in 2009 but the situation is
worse. This really is a wake-up call," said Paul
Ducklin, Head of Technology, Asia Pacific at Sophos in Sydney
who conducted the study. "Our honeymoon period with social
networking sites ought to be over by now - but many users still
have a 'couldn't care less' attitude to their personal data."
89% of the 20-somethings and 57% of the 50-somethings who
befriended Daisy and Dinette also gave away their
full-date-of-birth. Nearly all the others suppressed their year of
birth, but this is often easy to calculate or to guess from other
information given out. Even worse, just under half of the 20-ish
crowd, and just under a third of the 50-ish crowd, gave away
personal information about their friends and family.
"People aren't just handing over their own life story to
criminals," warned Ducklin. "They're betraying people close to
them, too, by helping those cybercrooks build up a detailed picture
of their life and their milieu. This is an identity scammer's
dream."
Sophos is calling on users of social networking sites to think
much more strictly about what it means to accept someone as your
friend. "We're not trying to be killjoys," explained Ducklin. "We
just want you to be much more circumspect about whom you choose to
trust online."
| Information |
Daisy |
Dinette |
| Friends accepting |
46% |
41% |
| Total friends gained |
46 |
49 |
|
|
|
|
| Full d.o.b. (D/M/Y) |
89% |
57% |
| Partial d.o.b. (D/M) |
9% |
35% |
| Email address |
100% |
88% |
| College or workplace |
74% |
22% |
| Town or suburb |
50% |
43% |
| Full address |
4% |
6% |
| Phone number |
7% |
23% |
| IM screen name |
13% |
18% |
| Family and friend data |
46% |
31% |
| Average no. of friends |
220 |
932 |
"Ten years ago it would have taken several weeks for con artists
and identity thieves to gather this kind of information about a
single person," added Graham
Cluley, senior technology consultant for Sophos. "Social
networks have made it easier for the bad guys to scoop up
information about innocent members of the public. Everyone must
learn to be more careful about how they share information online,
or risk becoming the victims of identity thieves."
Sophos has produced the following top tips for users wanting to
protect themselves from identity thieves on Facebook:
- Don't blindly accept friends. Treat a friend as the dictionary
does, namely"someone whom you know, like and trust." A friend is
not merely a button you click on. You don't need, and can't
realistically claim to have, 932 true friends.
- Learn the privacy system of any social networking site you
join. Use restrictive settings by default. You can open up to true
friends later. Don't give away too much too soon.
- Assume that everything you reveal on a social networking site
will be visible on the internet for ever. Once it has been
searched, and indexed, and cached, it may later turn up online no
matter what steps you take to delete it.
Learn more about the Sophos investigation into how easy it easy to
steal identities on Facebook, and advice from expert Paul Ducklin,
on his blog.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.