Awareness : Security Awareness Tips

Everything I Need to Know About Stealing Your Identity, I Learned from Facebook and MySpace

It’s easy to be lured into joining social networking sites like Facebook, MySpace, LinkedIn, and others. With over 25,000 members of the University community already on Facebook, a friend or a coworker might have already sent you an invitation. However, with the good also comes the bad. The popularity of social networking sites have made them objects of increasing attention from hackers and spammers. Remember that any information you post may be completely public and available to individuals who are most definitely *not* your friends. While the level of personal information you choose to share is your choice, posting of any sensitive work-related information is a definite no-no.

As you fill out your profile, consider leaving out key information that not everyone needs to know, like your birthday or home address; these data elements can be used to facilitate identity theft.

You may also choose to remove yourself from searches on Facebook or Google. To deactivate or limit your visibility on Facebook Search, go to the Privacy Settings option found in the Settings menu that appears on the top of every Facebook page. Instead of the default Everyone, you can choose to limit to just your networks or just your own friends. On the same page, you can disable the Public Search Listing if you don’t want your Facebook profile to appear in Google.

Friend lists give you some additional control over who sees what. For example, you could place your family members in a list and give that list access to your phone number, but leave it hidden from everyone else. Or you could create a group for your colleagues and allow them to see your work email address, but not the one you use for personal matters.

Social networking sites are all about keeping in touch with your friends and making new ones. Most people keep their friends lists public (even though you don’t have to) and one of the most common and successful phishing attacks abuses that choice. When someone tries to add you to their friend list, most sites show how many mutual friends you share with that person. By creating a fake profile, an attacker can become friends with a group of people and use the implied trust in those connections to gain the confidence of his victim before collecting that person’s personal details. That fake profile could be a completely fictitious person, a made-up profile for a real person, or a real person’s compromised account.

Another recent attack on MySpace is spread through invitations that include a link to view a video. If the a user clicks on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update; it is malicious code.

“[F]ar too many people ... presume trust,” says James Arlen, an independent information security consultant. “[Y]ou look at someone’s profile and say ‘I know this person,’ but there’s no real attempt at authentication.” For this reason, and because there will always be new attack methods, it’s best to choose the strictest privacy settings any time you enter personal information online, then relax them as needed. Social networking is a new and evolving area with controls that have not yet matured. Exercising a little caution may protect you from considerable grief in the future.

  • Choose sites that offer levels of control over who can find your profile and how much information they see. Use the controls to suitably restrict access.
  • Read privacy policies and understand how sites will use your details.
  • Do not allow people to work out your “real life” location, such as your place and hours of work. Your personal safety offline could be affected by what you tell people online.
  • Change passwords regularly. Avoid using obvious words such as your pet’s name, first name, etc., and don’t use the same passwords on social networking sites as you do for services such as online banking, Paypal, credit cards, etc.
  • Use a separate email address for social networking, preferably one that does not contain your year of birth or full name.

Finally, remember that information posted online may be available to your present employer as well as prospective new employers.

For more information

Posted June 23, 2009