Facebook users neglect ID theft risks

Over 40 percent of Facebook users reveal personal information such as date of birth, phone number and e-mail address, a study by security vendor Sophos finds.
Written by Eileen Yu, Senior Contributing Editor
Social networking site Facebook has become such as hit in the cyber community that users think nothing about revealing personal information such as date of birth, phone number and e-mail address.
A new study released Wednesday showed that 72 percent of respondents publicized one or more e-mail address, and 84 percent divulged their full date of birth.

"Freddi Staur"

Conducted by Sophos, the study underscored the dangers of "irresponsible behavior" on social networking sites such as Facebook, the security company said, noting that 100,000 new users reportedly sign up on Facebook each day.

For the test, Sophos created a profile page on Facebook under the user "Freddi Staur"--an anagram of "ID fraudster"--and was able to elicit responses from 87 of the 200 Facebook users he tried to contact. He sent out "friend requests" to these user, selected randomly from across the globe. Some 41 percent of those contacted proceeded to unveil personal information, while 78 percent published their current address or location, Sophos said in a statement.

Despite the fact that "Freddi", assuming the image of a green plastic frog, had revealed minimal personal information about himself, he was able to gain access to some respondents' photos of family and friends, employer details and hobbies. One respondent even revealed his mother's maiden name, a piece of information that is often used as a form of user authentication.

This willingness to divulge personal information to a complete stranger puts such users at greater risk of identity theft, Sophos warned.

"Freddi may look like a happy green frog that just wants to be friends, but actually he's happy because he's just encouraged 82 users to hand over their personal details on a plate," Graham Cluley, senior technology consultant at Sophos, said in the statement. "While accepting friend requests is unlikely to result directly in theft, it is an enabler giving cyber criminals many of the building blocks they need to spoof identities, gain access to online user accounts, or potentially, to infiltrate their employers' computer networks.

Freddi was able to gather sufficient information to create phishing e-mail or malware that specifically target individual users or businesses, Cluley said. With the data, Freddi could also guess the users' passwords, impersonate or stalk them, he added.

"Most people wouldn't give out their details to a stranger on the street, or even respond to a spam e-mail, yet several of the users Freddi contacted went so far as to make him one of their top friends," he said. "People need to realize that this is still unsolicited communication, despite it occurring within Facebook, and users must employ the same basic precaution such as not responding in any way, to prevent exposure to wrongdoers."

Cluley advised users to make use of privacy features that are available on Facebook to better protect their personal information. "This is about the human factor--people undoing all that good work through carelessness and being preoccupied with the kudos of having more Facebook friends than their peers--which could have a serious impact on business security, if accessed in the workplace," he warned.

But while some businesses may be considering blocking Facebook for productivity reasons, he noted, there are others which see business benefits from the type of interaction offered by the popular networking site.

"Hence, it's important that the site is used sensibly and securely," he added. In conjunction with the study, Sophos published a user guide that lists some security best practices for Facebook members.

Some key findings from the study include:

  • 87 of the 200 Facebook users responded to "friend requests" from Freddi, where 41 percent of those contacted gave out personal information;
  • 72 percent of respondents revealed one or more e-mail address;
  • 84 percent published their full date of birth;
  • 87 percent provided details about their education or workplace;
  • 78 percent unveiled their current address or location
  • 23 percent listed their current phone number; and
  • 26 percent gave their instant messaging screen name.

Editorial standards