Gallery

Unsocial networking

Posted on 5 Mar 2008 at 17:30

Davey Winder investigates a Facebook frog with a hidden agenda and reveals how to keep safe when using social networking sites.

Facebook offers an option within its profile settings to not show birthday details at all, which is what I'd recommend - the only consequence is that you won't get people you don't really know sending you a picture of a pint of beer and saying happy birthday on whatever random date you've supplied.

I'll continue to talk about the Facebook profile in particular because it has several other important settings that protect your personal data and reduce the risk of identity theft. Make sure you set the "who can see your profile" option to "only my friends" rather than everyone and his aunt Ethel (that is, all your "networks", which is the default). A Facebook network can contain thousands or hundreds of thousands of people, all of whom could see your profile details if you don't block them by changing the default, which is like walking around town with a sign on your back showing your personal information.

The same goes for your contact information from the profile. Why does anyone need to know your landline, mobile, IM, email or street address? Set these to be available to "no-one" for good measure. Your "real" friends will have your contact details already, your new online ones should earn the right to ask for them rather than have them handed over on a plate. You should also take a look at how Facebook enables people to search for your account: these options are accessible by clicking the "privacy" link located at the top-right of every page. There's some debate about whether you should allow anyone to search for your account or just your friends. Personally, assuming you've cleaned up your profile as just discussed, I see no harm in letting anyone on Facebook find you - after all, isn't that what social networking is all about?

A much greater risk comes from a fairly recent change introduced by Facebook, which allows that search listing information be indexed by external search engines, including Google, MSN and Yahoo. Just about every security advisor I know, including myself, will tell you to disable this option. Apart from being excellent advertising for Facebook itself (by adding hits that would otherwise not appear in people's search results), I can't see the point of letting any old Googler find your Facebook info. If someone wants to link up with you via Facebook, surely they'll already be a member and will use the in-house search tools to locate you.

Finally, as far as search options are concerned, check what people can do once they find you using the Facebook tools. I've only allowed them to add me as a friend, which kicks off a message that enables me to accept or decline the offer, and to see my picture (which doesn't currently depict me bathing in jelly with the Pussycat Dolls). I don't want random people sending me messages or poking me, and I certainly don't want them to be able to view my friends list, as this could enable the unscrupulous to start building a connections profile that could be of use for nefarious social engineering purposes.

Social poke, private joke

"Poking" on Facebook is just a way to nudge another member, as if to say "are you there" or "how are you" without sending a full email or private message. Thousands poke each other every second of every day, but how many of them realise that every time they poke, send a message or a friend request, this lets the recipient view their profile for a period of seven days, even if they've configured their privacy settings to only existing friends? The Freddi Staur affair shows how easy it would be for an ID thief to send a friend request, then even if you decline it or ask for more details, gain instant access to your profile and any personal information it's showing. I recommend you use the "poke, message and friend request" privacy settings option to configure which parts of your profile become accessible under these circumstances: mine's set to "basic info" only, showing my photo, name and that's about all.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site