David Harley, Director of Malware Intelligence, ESET : Fact, Fiction and the Internet
January 2010 by
In their simplest form, many social networking sites are not much more than online diaries. Whether you’re thinking of Bridget Jones or Adrian Mole, Alan Clark or Samuel Pepys, most of us realize that a diary is just someone’s personal view, and not a reliable source of indisputable information. Most of us except for financial institutions, that is, or so it appears.
In a recent blog post, security expert Roger Thompson related how an authentication check by his credit card company resulted in their asking him a question to verify his identity, using information publicly available. (As opposed to, or in addition to, the use of the sort of information we share with such institutions as “secret questions”, for instance.) The required answer in this case concerned the age of Roger’s daughter-in-law, to whom they referred to by her maiden name. The only public resource that Roger could think of that would connect the two of them is Facebook, though other commentators have pointed out that genealogy sites are used in identity checks too.
For a while now, some security researchers have advised people to be economical with the truth when using chatrooms, forums and social networking sites. Why would you give your true date of birth to a site that doesn’t need to know it, and can’t be trusted to keep it private? Is it a good idea to let all your facebook friends know you’re on holiday next week when you may not have met them all personally and can’t be sure how much of your information is available to their friends? If you must use your dog’s name as a password (you really shouldn’t be using names for passwords), talking about Fido on Facebook gives a determined attacker a good start along the password guessing route. How much easier is it to harvest information about a target when their place of birth or current home town is public knowledge?
In the security industry, we talk a lot about the dangers of social networking and sharing information that may be valuable to burglars and scammers, or even spies (if you happen to be married to the head of MI some-number-or-other). But it isn’t just about what you do, or information that you give away. Other people can give away information that impacts on you, like that photo of you next to Niagara Falls that your mate posts to his Facebook page, giving clear notice that you aren’t at home right now.
This latest revelation about how information posted to websites is being used (or misused) suggests a potential scenario where false information might actually be seen as more valid than true information, simply because it’s “publicly available” and your bank assumes that you – or someone within your social network – will never lie to a social networking site.
There is probably more misinformation than information in the online world, whether it’s deliberate deception, propaganda, fraud, well-meaning lack of comprehension, or just data that are no longer current. So any instance of an organization relying on the accuracy of data from a wider (more public) range of resources raises concerns about inaccuracy and perhaps even the deliberate poisoning of data. How can individuals keep track of and validate everything that is "known" about them when presumed-valid information is pulled from who knows where? More so, if the organization pulls that information long after it has supposedly already validated you as a customer.
While a bad guy who has access to all the information that a bank has may not need to change it in order to profit from it, there are several scenarios where he might want to. This might include hampering remediation; influencing the presentation of data he can write to even when he can’t read it (a more common situation than one might think); and compromising public data as part of a social engineering attack. Not to mention where the objective is to actually block legitimate access to information as well as or instead of impersonation.
Regulation of data is nowhere near keeping up with the Internet age, and some of our legalist assumptions were outdated in the 19th century. The possibility of an organisation using one customer to validate (or invalidate) another poses more awkward ethical and practical issues than most of us have thought of. It might benefit us all to think for a moment about the long-term impact that our next Facebook update or tweet may have on ourselves or our friends, before we put fingers to keyboard or keypad...