Sophos: Facebook urged to change its default privacy settings for geographic networks
October 2007 by Sophos
IT security and control firm Sophos is urging Facebook to improve its default privacy settings following new research that revealed members are unwittingly exposing their personal details on a mass scale to millions of strangers, putting themselves at risk of identity theft.
Sophos took a random snapshot of 200 users in the London Facebook network, which is the single largest geographic network on the site, with more than 1.2 million members. The company found that a staggering 75 percent allow their profiles to be viewed by any other member, regardless of whether they or not they have agreed to be friends.
Worryingly for businesses, 25 percent, which could equate to as many as 300,000 users in the London network, revealed information relating to their work - details that could potentially be used by cybercriminals in their attempts to commit corporate ID fraud or to infiltrate company networks.
Facebook is made up of thousands of networks worldwide, and users are encouraged to join them in order to meet and make friends with people in their area. Even if you have previously set up your privacy settings to ensure that only friends can view your information, joining a network automatically opens your profile to every other member of the network. Sophos experts note that this is a worrying situation, particularly given the growing popularity of these networks. For instance, in May 2007, there were just 375,000 Facebook members in the London network, a three-fold increase in just four months means that an unprecedented amount of personal and corporate information is now available for strangers to view.
"I was flabbergasted when I joined a network on Facebook using a profile which I thought was secure, only to find Facebook had changed a number of settings and was opening me up to millions of strangers. Who was to say that cybercriminals weren’t in that network too? Is it right that Facebook works this way?" said Graham Cluley, senior technology consultant at Sophos. "While Facebook’s privacy features are far more sophisticated than competing social networking sites, too many members still aren’t getting the message about how to use them to prevent ID theft. Facebook has ultimately put these privacy options in place to protect its flock but perhaps it’s now time for the networking phenomenon to take the next step and change its default settings so that when members join a network, they have to actively click to leave their details on show, rather than automatically letting it all hang out online."
The research further highlights that 54 percent of users in the London network show their full date of birth; vital information for cybercriminals wishing to commit identity fraud. One percent, which could equate to as many as 12,000 people, also divulge their phone number to over a million strangers. While smaller networks may not pose as great a threat as the massive London circle, each one - whether regional, work or college related - presents a significant risk to members who fail to check and amend their privacy settings.
"The Facebook network issue almost amounts to identity-on-demand for cybercriminals, who are fully capable of taking advantage of unwitting Facebook fans. It’s crucial that users take a few minutes to look at their privacy settings before getting caught up in the undisputed fun of Facebook," concluded Cluley.
Recently, Sophos published research showing that 41 percent of Facebook users were prepared to divulge personal information to a complete stranger (a small plastic frog called Freddi Staur - an anagram of ’ID Fraudster’).
Sophos’s user guide for behaving securely on Facebook is available at: www.sophos.com/facebook
Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.