Social networking sites ...
... an easy place to loose your identity. Social
and community web sites such as Facebook, MySpace, Bebo, Twitter,
Friends Reunited, and to some extent YouTube and Flickr, have become
enormously popular and, in many cases, big money spinners for their
owners. They are also a goldmine for those who would steal personal
identities and commit fraud. It is regrettable that some of these
sites more or less encourage their members to record large amounts
of personal information and to make this accessible to the wider
public rather than limit it to their own small circle of friends.
My advice is use these web sites with great caution. I can
see the attraction in using them - even I look at YouTube (there
are links on this web site) Twitter (I use it every day) and Flickr.
I now do not recommend Facebook; there are too many unanswered
security problems to justify its use. So what should we do to use
these sites with safety?
The key is to cover up your identity to the maximum degree and disclose as little about yourself as possible. This includes in conversations with other members as well as when you sign up.
NEVER use your full name or even your full initials
- that rules out Friends Reunited who solicit just about every
piece of high risk information, much of it mandatory. I recommend
the use of a nom
de plume, a name that you use only for this particular web
site. DO NOT enter your full address - you may
wish to provide the name of the town you live in but I would be
wary of that lest it provides sufficient information to help someone
trace you.
NEVER provide your true date of birth. If it
is a requirement then adjust the numbers a little. DO NOT provide
your phone number, fixed line or mobile. Doing so will only result
in unwanted harassment from salesmen of all kinds. Unwanted sales
calls can be suppressed from UK sources by putting your number
on the free Telephone
Preference Service list but you won't be able to stop foreign
calls. See the page on filtering phone
calls.
Many services, as well as many banks and financial services bodies
that should know better, will ask you for a variety of information
which they use to confirm your identity when you phone them. The
most common are your mother's maiden name and the name of your
first school. Both these pieces of information are now discredited
because they are so easy to come by. Further, there is a generation
of young adults whose mothers' never married and so continue to
use their maiden names which may or may not have been adopted by
their children. Schools are often easily identified from a site
like Friends Reunited, the whole purpose of which is to look up
your school friends. I recommend that when asked for your mother's
maiden name you provide something different. If you wish to be
entirely honest tell a bank or other official body that you have
done this and why - because your mother's name is too well known.
Just don't forget what name you have told them though! For school
name I suggest corrupting the real name or give a different school
altogether.
NEVER disclose your place of work - this could
open you to blackmail. You could note your trade or profession
but I wouldn't if it wasn't relevant. But if you are registering
with LinkedIn you will need to give details of your profession
- but don't be lured into thinking that just because it is a professional
business site that it is any safer to put your personal information
there. As with all these sites, you are exposing your personal
information to the world.
DON'T provide your email address in a public
place if it is not necessary. If you do, you will get hoards of
spam messages. As a webmaster it is inevitable that one of my email
addresses is known by default - webmaster@happy-valley etc. This,
and similar addresses for my other web sites, has produced up to
100 spam messages every day. These are largely filtered out for
me by the use of clever software but I'd much rather not get them.
REVERT TO EMAIL - if a discussion with a correspondent
gets a bit too specific on a public social web site respond via
a personal email, if you know the address, the facility exists
on the site, or ask the correspondent to email you, and pursue
the conversation by private email.
AND ABOVE ALL never give any financial information
to anyone via a social networking site, information such as account
numbers, credit or debit card numbers and other similar information.
To do so amounts to giving access to your accounts to the world's
crooks. And NEVER NEVER NEVER SEND MONEY TO ANYONE
IN RESPONSE TO EVEN THE MOST HEART WRENCHING STORIES - ESPECIALLY
NOT TO LOVERS YOU HAVE MET ON THE WEB. There are so many frauds
being conducted by this method, nearly always from abroad where
you have no hope of redress.
In general avoid putting personal information on social networking
sites - be careful to avoid telling others where you live, where
you hang out, where and when you are going on your holidays, and
so on. There must be plenty to talk about without giving identity
information away. If you want to tell your real friends about these
things do it privately with an email or, better still, with a phone
call - isn't that what the phone was for?
If you are already registered to a social networking site and
wish to remove yourself you may find it difficult to do so although
public pressure has improved the facility in recent times. I suggest
you go to the help page and look for information on deleting your
profile. If you don't want to delete your Facebook profile there
is now a facility to enable you the hibernate it for the time being
and re-awaken it at a later time. This at least enables you to
preserve your profile name, so avoiding its use by someone else.
If you think you may be compromised by information you have put
on one of these social sites then tell your bank or card company.
Ask them to give you a new account number; change information such
as maiden names and schools. I also suggest you do this in person
over the counter and re-identify yourself to the organisation so
that there can be no doubt in their minds that you are bona
fide and get them to make a record of this event. Some banks
now enable you to set a password so that they can confirm that
it is you who is talking to them and not an imposter, and to set
a requirement that they contact you in person before acting on
written instructions such as change of address, open a new account,
or close an account after transfering all the funds elsewhere.
You could protect yourself by buying
protective registration from CIFAS
.
For £14.10 (02/2011) it will force anyone applying
for credit in your name (including you!) to undergo extra identity
checks. You should also obtain your credit
records from the three main holders to check that your identity
has not already been compromised.
Web links
Sites such
as Facebook and Twitter are becoming increasingly risky. In April
2011 Symantec said that 1 in 6 links on Facebook went to malicious
software sites. This is sufficiently high to suggest that one should
not click on a link unless you know the person who put it there.
The majority of tweets on Twitter contain a link, usually a compressed
version which hides the true address, and again one should probably
not be clicking on them if you do not know the person who put it
there.
Facebook now (2/2012) has over 800 million users.
In recent months there has been an ever increasing number of methods
of abuse, some of them technically very tricky and hard for the
user, even technically savvy users, to spot. A very good place
to get information on Facebook frauds is the Sophos Naked Security
bulletin and the Sophos Facebook page.
Even while I have been updating this page a new scam has appeared
on Facebook - read this, then cancel your profile!
Geotagging
Smartphones use GPS to add your locational information to many
of the outputs such as emails, pictures, messages. An increasing
number of 'apps' use GPS info as a basis for their functionality.
On the face of it this sounds like a great idea and it is, except,
of course, that if you think about the possibilities, it isn't.
The problem is that recording the locations you pass through every
day provides miscreants with a heaven sent collection of data which
can be used to stalk you, to know when you are out of the house,
to know where you can be found at a particular time on particular
days. This amounts to a considerable loss of privacy.
The technology first became noticed for its seriousness when a
number of US servicemen being flown to a base in Afghanistan photographed
the helicopters on the ground on arrival and immediately posted
their pictures to social media. The baddies quickly found and downloaded
the pictures and extracted the geotags giving them the exact co-ordinates
of the helicopters. Within minutes missiles were fired with pin-point
accuracy and four choppers were destroyed on the ground.
UK forces are now banned from using mobile phones in
operational areas. US forces are required to follow strict rules
for staying geotagg-safe:
- Don't friend someone if you haven't met them in person.
- Even if there's nothing classified about an individual's location,
a series of locations posted online over the course of
a month can create a pattern that criminals can use.
- Disable the geotagging feature on your phone.
- Check your security settings to see who you're
sharing check-ins with.
- The same applies to safety for children.
Do you really want the entire world to know where your child
goes to school?
- Be conscious of what information you're putting out there.
Don't share information with strangers. Once it's out there,
it's out there. There's no pulling it back.
Further information
The Sophos Naked Security bulletin is published daily with all
the latest IT security news. Facebook features almost every day!
Sophos also say "If you use Facebook and want to get an early warning
about the latest scares, scams and internet attacks, you should join
the Sophos Facebook page where we have a thriving community
of over 160,000 people."
Sophos is a leading UK IT security company who develop and support
a very highly rated virus checker and other security tool mainly
sold to commerce and industry. While I have known them since they
were established in the early 1990s I have had no direct connection
with them since I retired more than 15 years ago.
Identity theft | Credit checking | Phone security
... is a retired Information
Security Manager. I give no warranty that the advice given will prevent
your system from suffering from viruses, worms, spam, spyware, usage
trackers, keyloggers, abuse or any unauthorised programs, functionality
or macros of any kind introduced by any means. It must be accepted that
the subject is not fully explored in this document and descriptions of
problems and solutions are necessarily brief and incomplete. New security
problems are regularly being discovered in PC operating systems, mobile
'apps' and other software for all kinds of computer based consumer equipment
and users need to be constantly alert to the latest threats. Nor do I
give any warranty regarding personal identification protection, use of
social networking web sites, or calls to or from banks and finance houses.
Neither do I take any responsibility for any third party web site or
its contents nor for any products offered or supplied by those sites
or any retail outlet or the companies promoting them. If in doubt ask
for advice for your specific system or problem from a company offering
such advice or service. Always follow the specific advice of hardware
and software suppliers, banks and finance houses as appropriate.
© Copyright Tim
Boddington 2013. All rights reserved.
