Out-Law / Your Daily Need-To-Know

Facebook users have yet to learn privacy lessons, finds study

Out-Law News | 09 Dec 2009 | 11:47 am | 2 min. read

Facebook users still give out their personal information far too readily two years on from a report which first came to that conclusion, according to security company Sophos.

Two years ago Sophos conducted an experiment amongst UK Facebook users. It created a fictional character and asked 100 people to befriend it; 43 did. It has just conducted the same experiment in Australia and found that social networking users have not learned to be more careful.

The survey found that 46% of users in a fictional 21 year old's age group accepted the offered friendship, while 41% of a fictional 56 year old's peers did.

On Facebook once someone has been accepted as your 'friend' they can see more information about you, but you can still choose to hide information from those friends or limit it to specific groups amongst your online friends.

Sophos found that once the fictional characters had been accepted as friends they had access to huge amounts of data that is exactly what scammers need in order to impersonate someone.

"Both groups were very liberal with their email addresses and with their birthdays," said Sophos head of technology in Asia Pacific Paul Ducklin. "This is worrying because these details make an excellent starting point for scammers and social engineers."

"Nearly half of the youngsters, and nearly one-third of the 50-somethings, also offered up details about friends and family – again, information which scammers and identity fraudsters can exploit to build up an accurate and abusable profile of you and your lifestyle," he said.

Scammers can use all sorts of information to access a victim's bank accounts, company records or gain credit in their name. Email addresses are often user-names for services, and many people use their birthdays as the basis of passwords.

Information about a person, such as their marital status, family arrangements and even pets' names, can be useful in pretending to be a person and 'socially engineering' access to their goods or records.

"Ten years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator," said Ducklin. "Sadly, these days, many social networkers are handing over their life story on a plate."

Sophos published guidelines to follow to prevent important information falling into the wrong hands.

"Don't blindly accept friends," it said. "Treat a friend as the dictionary does, namely 'someone whom you know, like and trust.' A friend is not merely a button you click on. You don't need, and can't realistically claim to have, 932 true friends.

"Learn the privacy system of any social networking site you join. Use restrictive settings by default. You can open up to true friends later. Don't give away too much too soon.

"Assume that everything you reveal on a social networking site will be visible on the internet for ever. Once it has been searched, and indexed, and cached, it may later turn up on-line no matter what steps you take to delete it."