Wednesday, December 9, 2009

Facebook security issues? It's the ducky's fault

Gee everybody's so friendly on Facebook ... probably too much so.

Two Facebook users, Daisy Felettin and Dinette Stonily, sent out friend requests to 100 Facebookers each, chosen at randon though concentrating on their own age groups. Between the two of them, 95 people decided to become their friends.

Except Daisy and Dinette don't exist. They were created by the IT firm Sophos to show how easy it is to convince Facebook users to reveal personal information to total strangers.

Daisy (using a photo of a rubber duck as her avatar), is known to Facebook users as a 21-year-old woman, while Dinette Stonily presented "herself" a, a 56-year-old with a photo of two cats as her avatar.

Daisy concentrated on younger Facebook users, and came away with 46 new friends. Of these 46, she got full birthdates from 89 percent of them, family/friend data from 46 percent, a town or suburb from 50 percent, a full address from four percent, and a phone number from seven percent.

Older Facebook users, when dealing with Dinette, were also quick to become friends. Of the 100 approached, 41 became friends -- but another eight approached Dinette of their own accord and befriended the cat-loving phantom. And of the 49 new friends, Dinette got full birthdates from 57 percent of them, family/friend data from 31 percent, a town or suburb from 43 percent, a full address from six percent, and a phone number from 23 percent.

Check out their names again. They're based on anagrams for "false identity" and "stolen identity."

Ugh. There are a lot of people who shouldn't be running computers.

At Sophos, they call this experiment the “rubber duck attack.” There's a purpose behind the goofy moniker, as it shows how you can gather someone’s personal info without any technical expertise, simply by working within the social network’s rules.

I can't stand Facebook. I'd rather not waste my time with it. I was ready to shut down my account when some friends -- real friends, as in people I know and like -- started contacting me there. For many of these friends, that's the online way to keep up with one another.

OK. It goes like this. Not everyone who says he wants to be your friend is really your friend. Got it? You wouldn't invite some random person into your living room just because he says he wants to "friend" you, as they say in Facebook. But then y'all already knew that.

Here's something revealing: The 46 people befriended by Daisy have an average of 220 Facebook friends, while Dinette's 49 new pals have an average of 932 Facebook friends.

I'm tired of belaboring this point: Nobody has that many friends. 

Sophos (the duck people) offer their own social-networking security tips:

  • Don't blindly accept friends. Treat a friend as the dictionary does, namely "someone whom you know, like and trust." A friend is not merely a button you click on. You don't need, and can't realistically claim to have, 932 true friends.
  • Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don't give away too much too soon. 
  • Assume that everything you reveal on a social networking site will be visible on the internet for ever. Once it has been searched, and indexed, and cached, it may later turn up on-line no matter what steps you take to delete it.

And watch out for potential friends bearing rubber ducks.

###

No comments:

About YOU