More than four of tenFacebook usersÂ (41%) agreed to become “friends” with the fictional Freddi Staur and allowed access to personal data, according to new research by Sophos into the risks of identity and information theft occurring through Facebook (via CNET News Blog).
Users often divulged personal information – such as email address, date of birth and phone number – to a complete stranger, greatly increasing their susceptibility to ID theft, Sophos said.
The Sophos “Facebook ID Probe” involved creating a fabricated Facebook profile, then sending out friend requests to randomly selected persons across the globe. Sophos set up a profile page for ‘Freddi Staur’ (an anagram of “ID Fraudster”), a small green plastic frog who divulged minimal personal information about himself. Sophos then sent out 200 friend requests.
Among the Sophos Facebook ID Probe findings:
- 87 of the 200 Facebook users contacted responded to Freddi, with 82 leaking personal information (41% of those approached).
- 72% of respondents divulged one or more email address.
- 84% of respondents listed their full date of birth.
- 87% of respondents provided details about their education or workplace.
- 78% of respondents listed their current address or location.
- 23% of respondents listed their current phone number.
- 26% of respondents provided their instant messaging screenname.
- Sophos also “poked”* another 100 random Facebook users to see whether it would elicit similar responses, allowing Freddi to access their details:However, just eight people responded, with only five revealing personal information.
“Freddi may look like a happy green frog that just wants to be friends, but actually he’s happy because he’s just encouraged 82 users to hand over their personal details on a plate,” said Graham Cluley, senior technology consultant at Sophos.
“While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cybercriminals many of the building blocks they need to spoof identities, to gain access to online user accounts, or potentially, to infiltrate their employers’ computer networks.”
In the majority of cases, Freddi was able to gain access to respondents’ photos of family and friends, information about likes/dislikes, hobbies, employer details and other personal facts, Sophos said. In addition, many users apparently also disclosed the names of their spouses or partners.
“What’s worrying is how easy it was for Freddi to go about his business. He now has enough information to create phishing emails or malware specifically targeted at individual users or businesses, to guess users’ passwords, impersonate them or even stalk them,” explained Cluley.
“It’s important to remember that Facebook’s privacy features go far beyond those of many competing social networking sites. This is about the human factor – people undoing all that good work through carelessness and being preoccupied with the kudos of having more Facebook friends than their peers, which could have a serious impact on business security, if accessed in the workplace.”
*”Poking” is a way for Facebook users to interact with one another. According to the Facebook website, it is a feature designed “without any specific purpose.” When a user is poked an icon appears on their Facebook homepage, with the option to “remove poke” or “poke back.” By choosing to poke back, the user allows the initial sender to view their profile information for the next seven days.