Social Networking Users Happy to Reveal All to Potential ID Thieves

Social networking users are being warned of the dangers of allowing strangers to gain access to their online profiles, following new research into the risks of identity and information theft occurring through global phenomenon Facebook.

Compiled from a random snapshot of Facebook users, research by the IT security company Sophos shows that 41 percent of users, more than two in five, will divulge personal information -- such as e-mail address, date of birth and phone number -- to a complete stranger, greatly increasing their susceptibility to ID theft.

The Facebook ID Probe involved creating a fabricated Facebook profile before sending out friend requests to individuals chosen at random from across the globe. To conduct the experiment, they set up a profile page for 'Freddi Staur' (an anagram of 'ID Fraudster') -- a small green plastic frog who divulged minimal personal information about himself. Two-hundred friend requests were sent out to observe how many people would respond, and how much personal information could be gleaned from the respondents.

"Freddi may look like a happy green frog that just wants to be friends, but actually he's happy because he's just encouraged 82 users to hand over their personal details on a plate," said Graham Cluley, senior technology consultant at Sophos. "While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cybercriminals many of the building blocks they need to spoof identities, to gain access to online user accounts, or potentially, to infiltrate their employers' computer networks."

Sophos Facebook ID Probe findings:

• 87 of the 200 Facebook users contacted responded to Freddi, with 82 leaking personal information (41% of those approached)
• 72% of respondents divulged one or more email address
• 84% of respondents listed their full date of birth
• 87% of respondents provided details about their education or workplace
• 78% of respondents listed their current address or location
• 23% of respondents listed their current phone number
• 26% of respondents provided their instant messaging screenname

In the majority of cases, Freddi was able to gain access to respondents' photos of family and friends, information about likes/dislikes, hobbies, employer details and other personal facts. In addition, many users also disclosed the names of their spouses or partners, several included their complete résumé, while one user even divulged his mother's maiden name -- information often requested by Web sites in order to retrieve account details.

"What's worrying is how easy it was for Freddi to go about his business. He now has enough information to create phishing e-mails or malware specifically targeted at individual users or businesses, to guess users' passwords, impersonate them or even stalk them," explained Cluley. "Most people wouldn't give out their details to a stranger in the street, or even respond to a spam e-mail, yet several of the users Freddi contacted went so far as to make him one of their 'top friends'. People need to realize that this is still unsolicited communication, despite it occurring within Facebook, and users must employ the same basic precautions -- such as not responding in any way -- to prevent exposure to wrongdoers."

As well as the successful friend requests, a number of users unwittingly enabled Freddi to gain access to their profile information simply by sending response messages such as "Who are you?" and "Do I know you?" back to his Facebook inbox. Sophos experts note that users' profiles can be protected from such exposure by adjusting the privacy controls within their Facebook account settings.

"It's important to remember that Facebook's privacy features go far beyond those of many competing social networking sites. This is about the human factor -- people undoing all that good work through carelessness and being preoccupied with the kudos of having more Facebook friends than their peers, which could have a serious impact on business security, if accessed in the workplace," continued Cluley. "Of course, some businesses may already be considering blocking Facebook for productivity reasons -- but equally, other companies will see business benefits in this type of interaction, hence it's important that the site is used sensibly and securely."