Gallery

Unsocial networking

Posted on 5 Mar 2008 at 17:30

Davey Winder investigates a Facebook frog with a hidden agenda and reveals how to keep safe when using social networking sites.

With 63 million members viewing 65 billion pages a month - and 250,000 people joining every day - social networking sites such as Facebook are more than a passing fad. I'm hooked myself and even PC Pro has a group with more than 400 members. It's vital, therefore, that the security and privacy risks users expose themselves to on these sites aren't ignored.

You're handing out personal information - place and date of birth, address and so forth - to pretty well anyone who asks "can I be your friend?", whether you know them or not.

Social networking has become a game: forget Pokémon, collect Facebook friends (you've gotta catch 'em all!). Most of us, me included, accept invitations from passing acquaintances. The point of social networking is to make new friends, to keep in touch with existing ones and rekindle old ones. This virtual community ideal is what attracted me to the internet in the first place, nearly 20 years ago, and I'll admit to accepting friendships on Facebook from people I haven't met in real life. But there's always some connection between us before I click on that button - we might both be previous users of Cix, both went to the same school, or both have an interest in body art. However, I've never knowingly accepted a Facebook friend invitation from a small, green plastic frog...

Frog attack

Freddi Staur (clue: it's an anagram of ID Fraudster) is just such a frog, one that managed to make 87 Facebook friends last year simply by asking 200 strangers picked at random. And, rather worryingly, 82 of them (that is, 41% of those approached) revealed personal information that would be of use to a would-be identity thief.

Freddi, on the other hand, revealed very little about himself, which is understandable given that small, plastic frogs have little in the way of personal history once they leave the factory in Guangdong. The brains behind this Freddi scam were not, thankfully, a gang of ID thieves but employees of security outfit Sophos, and the information they gleaned simply by viewing the profiles of their linked "friends" included email addresses (72%), dates of birth (84%), education or work data (87%), current address (78%), current telephone number (23%) and IM screen names (26%).

As Graham Cluley, a senior technology consultant at Sophos told me: "While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cybercriminals many of the building blocks they need to spoof identities, to gain access to online user accounts or, potentially, to infiltrate their employers' computer networks.''

It's that last bit that's of most importance to me, and should be to you, because given the number of people accessing Facebook from their workplaces, you don't have to be a genius to realise that World War II's "loose lips sink ships" advice remains true. I'll come back to that in a moment, but first let's address what the best way is to protect your personal data in a social networking environment (unless you're one of those numb-nuts who believes a plastic frog wants to be your friend, in which case it may already be too late).

Minimise your personal data risk by following these simple common-sense guidelines, most of which involve not being 100% honest about your particulars. So, for example, if the site you're using insists you enter a date of birth, use a false one. Ask yourself if it really, truly matters a jot whether people think you were born on 5 December or 10 March. When I'm forced into such a disclosure, I always say 1 April because it appeals to my sense of irony.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site