- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
August 14, 2007 | Comments: (0)
Facebook users often pass ID info to strangers
It's apparent that people's understanding of online ID theft and the threat of personal data loss from so-called Web 2.0 sites has not yet taken leaps and bounds forward.
As part of an exercise aimed at finding out how many people it could get to send their Facebook profiles -- which often contain significant amounts of personally identifiable data -- to a dummy account set up to gather such details, security software maker Sophos lured roughly 40 percent of those it sent invitations to on the site into swallowing its bait, which was frog legs.
The invitations were linked to a profile that offered details about "Freddi Staur," a clever anagram of the term "ID Fraudster," who was represented in his profile on the site as a small green plastic frog -- one who in turn offered up very little personal information about himself.
Sophos, which has its headquarters just outside Boston, said that it sent invitations to link to the profile to 200 random users of Facebook, the social networking site that began as a virtual space for college students to share info with one another but which has been expanded to include just about anyone.
According to the company, some 87 of those people it queried responded to its toy reptile's invites, including 82 people, or 41 percent, whose profiles divulged personal information such as their e-mail address, date of birth, address or phone number.
In total:
-72 percent of respondents divulged one or more email address
-84 percent of respondents listed their full date of birth
-87 percent of respondents provided details about their education or workplace
-78 percent of respondents listed their current address or location
-23 percent of respondents listed their current phone number
-26 percent of respondents provided their instant messaging screen name
While Sophos researchers admitted that it would typically take some additional legwork to assail those who replied to the invites, such as luring them into downloading a spyware program or tricking them into visiting a phishing site, many handed over enough info to give an aspiring fraudster a good idea of who they are, including a good number who passed along pictures of themselves or their family members.
"It's extremely alarming how easy it was to get users to accept Freddi," said Ron O'Brien, senior security analyst at Sophos. "While it's unlikely this will result directly in theft, it provides many of the essential elements needed to gain access to people's personal accounts. Additionally, it reveals specific user interests, enabling hackers to design targeted malware or phishing e-mails that they know the user is more likely to open."
There's still some debate as to just how much identity fraud results from such online data leakage, or even massive records thefts such as the one encountered by retailer TJX Companies. However, the report does illustrate the seemingly gullible nature in which many users of sites like Facebook go about their online interactions.
Posted by Matt Hines on August 14, 2007 08:39 AM
RATE THIS ARTICLE:
-
- COMMENTS
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
