Social networking

Don't give your id away, you may never get it back

home > homewatch > security > social networking

Social networking sites ...

... an easy place to loose your identity. Social and community web sites such as Facebook, MySpace, Bebo, Twitter, Friends Reunited, and to some extent YouTube and Flickr, have become enormously popular and, in many cases, big money spinners for their owners. They are also a goldmine for those who would steal personal identities and commit fraud. It is regrettable that some of these sites more or less encourage their members to record large amounts of personal information and to make this accessible to the wider public rather than limit it to their own small circle of friends.

My advice is use these web sites with great caution. I can see the attraction in using them - even I look at YouTube (there are links on this web site) Twitter (I use it every day) and Flickr. I now do not recommend Facebook; there are too many unanswered security problems to justify its use. So what should we do to use these sites with safety?

The key is to cover up your identity to the maximum degree and disclose as little about yourself as possible. This includes in conversations with other members as well as when you sign up.

NEVER use your full name or even your full initials - that rules out Friends Reunited who solicit just about every piece of high risk information, much of it mandatory. I recommend the use of a nom de plume, a name that you use only for this particular web site. DO NOT enter your full address - you may wish to provide the name of the town you live in but I would be wary of that lest it provides sufficient information to help someone trace you.

NEVER provide your true date of birth. If it is a requirement then adjust the numbers a little. DO NOT provide your phone number, fixed line or mobile. Doing so will only result in unwanted harassment from salesmen of all kinds. Unwanted sales calls can be suppressed from UK sources by putting your number on the free Telephone Preference Service list but you won't be able to stop foreign calls. See the page on filtering phone calls.

Many services, as well as many banks and financial services bodies that should know better, will ask you for a variety of information which they use to confirm your identity when you phone them. The most common are your mother's maiden name and the name of your first school. Both these pieces of information are now discredited because they are so easy to come by. Further, there is a generation of young adults whose mothers' never married and so continue to use their maiden names which may or may not have been adopted by their children. Schools are often easily identified from a site like Friends Reunited, the whole purpose of which is to look up your school friends. I recommend that when asked for your mother's maiden name you provide something different. If you wish to be entirely honest tell a bank or other official body that you have done this and why - because your mother's name is too well known. Just don't forget what name you have told them though! For school name I suggest corrupting the real name or give a different school altogether.

NEVER disclose your place of work - this could open you to blackmail. You could note your trade or profession but I wouldn't if it wasn't relevant. But if you are registering with LinkedIn you will need to give details of your profession - but don't be lured into thinking that just because it is a professional business site that it is any safer to put your personal information there. As with all these sites, you are exposing your personal information to the world.

DON'T provide your email address in a public place if it is not necessary. If you do, you will get hoards of spam messages. As a webmaster it is inevitable that one of my email addresses is known by default - webmaster@happy-valley etc. This, and similar addresses for my other web sites, has produced up to 100 spam messages every day. These are largely filtered out for me by the use of clever software but I'd much rather not get them.

REVERT TO EMAIL - if a discussion with a correspondent gets a bit too specific on a public social web site respond via a personal email, if you know the address, the facility exists on the site, or ask the correspondent to email you, and pursue the conversation by private email.

AND ABOVE ALL never give any financial information to anyone via a social networking site, information such as account numbers, credit or debit card numbers and other similar information. To do so amounts to giving access to your accounts to the world's crooks. And NEVER NEVER NEVER SEND MONEY TO ANYONE IN RESPONSE TO EVEN THE MOST HEART WRENCHING STORIES - ESPECIALLY NOT TO LOVERS YOU HAVE MET ON THE WEB. There are so many frauds being conducted by this method, nearly always from abroad where you have no hope of redress.

In general avoid putting personal information on social networking sites - be careful to avoid telling others where you live, where you hang out, where and when you are going on your holidays, and so on. There must be plenty to talk about without giving identity information away. If you want to tell your real friends about these things do it privately with an email or, better still, with a phone call - isn't that what the phone was for?

If you are already registered to a social networking site and wish to remove yourself you may find it difficult to do so although public pressure has improved the facility in recent times. I suggest you go to the help page and look for information on deleting your profile. If you don't want to delete your Facebook profile there is now a facility to enable you the hibernate it for the time being and re-awaken it at a later time. This at least enables you to preserve your profile name, so avoiding its use by someone else.

If you think you may be compromised by information you have put on one of these social sites then tell your bank or card company. Ask them to give you a new account number; change information such as maiden names and schools. I also suggest you do this in person over the counter and re-identify yourself to the organisation so that there can be no doubt in their minds that you are bona fide and get them to make a record of this event. Some banks now enable you to set a password so that they can confirm that it is you who is talking to them and not an imposter, and to set a requirement that they contact you in person before acting on written instructions such as change of address, open a new account, or close an account after transfering all the funds elsewhere. You could protect yourself by buying protective registration from CIFASExternal link. For £14.10 (02/2011) it will force anyone applying for credit in your name (including you!) to undergo extra identity checks. You should also obtain your credit records from the three main holders to check that your identity has not already been compromised.

Web links

Sites such as Facebook and Twitter are becoming increasingly risky. In April 2011 Symantec said that 1 in 6 links on Facebook went to malicious software sites. This is sufficiently high to suggest that one should not click on a link unless you know the person who put it there. The majority of tweets on Twitter contain a link, usually a compressed version which hides the true address, and again one should probably not be clicking on them if you do not know the person who put it there.

Facebook now (2/2012) has over 800 million users. In recent months there has been an ever increasing number of methods of abuse, some of them technically very tricky and hard for the user, even technically savvy users, to spot. A very good place to get information on Facebook frauds is the Sophos Naked Security bulletin and the Sophos Facebook page.

Even while I have been updating this page a new scam has appeared on Facebook - read this, then cancel your profile!External link

New! Geotagging

Smartphones use GPS to add your locational information to many of the outputs such as emails, pictures, messages. An increasing number of 'apps' use GPS info as a basis for their functionality. On the face of it this sounds like a great idea and it is, except, of course, that if you think about the possibilities, it isn't.

The problem is that recording the locations you pass through every day provides miscreants with a heaven sent collection of data which can be used to stalk you, to know when you are out of the house, to know where you can be found at a particular time on particular days. This amounts to a considerable loss of privacy.

The technology first became noticed for its seriousness when a number of US servicemen being flown to a base in Afghanistan photographed the helicopters on the ground on arrival and immediately posted their pictures to social media. The baddies quickly found and downloaded the pictures and extracted the geotags giving them the exact co-ordinates of the helicopters. Within minutes missiles were fired with pin-point accuracy and four choppers were destroyed on the ground.

UK forces are now banned from using mobile phones in operational areas. US forces are required to follow strict rules for staying geotagg-safe:

  • Don't friend someone if you haven't met them in person.
  • Even if there's nothing classified about an individual's location, a series of locations posted online over the course of a month can create a pattern that criminals can use.
  • Disable the geotagging feature on your phone.
  • Check your security settings to see who you're sharing check-ins with.
  • The same applies to safety for children. Do you really want the entire world to know where your child goes to school?
  • Be conscious of what information you're putting out there. Don't share information with strangers. Once it's out there, it's out there. There's no pulling it back.

Further information

The Sophos Naked Security bulletinExternal link is published daily with all the latest IT security news. Facebook features almost every day! Sophos also say "If you use Facebook and want to get an early warning about the latest scares, scams and internet attacks, you should join the Sophos Facebook pageExternal link where we have a thriving community of over 160,000 people."

Sophos is a leading UK IT security company who develop and support a very highly rated virus checker and other security tool mainly sold to commerce and industry. While I have known them since they were established in the early 1990s I have had no direct connection with them since I retired more than 15 years ago.

Identity theft | Credit checking | Phone security

The author ...

... is a retired Information Security Manager. I give no warranty that the advice given will prevent your system from suffering from viruses, worms, spam, spyware, usage trackers, keyloggers, abuse or any unauthorised programs, functionality or macros of any kind introduced by any means. It must be accepted that the subject is not fully explored in this document and descriptions of problems and solutions are necessarily brief and incomplete. New security problems are regularly being discovered in PC operating systems, mobile 'apps' and other software for all kinds of computer based consumer equipment and users need to be constantly alert to the latest threats. Nor do I give any warranty regarding personal identification protection, use of social networking web sites, or calls to or from banks and finance houses. Neither do I take any responsibility for any third party web site or its contents nor for any products offered or supplied by those sites or any retail outlet or the companies promoting them. If in doubt ask for advice for your specific system or problem from a company offering such advice or service. Always follow the specific advice of hardware and software suppliers, banks and finance houses as appropriate.

© Copyright Tim Boddington 2013. All rights reserved.