Thursday, October 17, 2013

Facebook users, be warned . . .


The Telegraph has published an interesting (and worrying) article about what hackers can learn about you from Facebook, and how they can use it.  Here's an excerpt.

Anyone can download all the data Facebook holds on them. Thanks to Europe-wide data protection rules companies are obliged to reveal what information they store on you. Normally this involves a written request, small fee and 40-day wait.

Luckily Facebook makes this easy. By clicking on account settings (the small cog icon at the top right), picking "general" and going to "download a copy of your Facebook data" you can get hold of everything.

Browsing the folders at first is fairly amusing. Old messages track forgotten relationships as they spark up and peter out. Gossip from university days resurfaces. AmDram productions you promised friends you would attend remain in a list of past events.

You realise biographers of the future won't be combing through dusty collections of letters but double-clicking on folders containing Facebook profiles. But what if the data fell into the wrong hands?

To see what useful info could be gleaned I downloaded my own personal Facebook data, which has been building up for the last seven years. Through simple word searches a host of sensitive information could be uncovered within minutes.

Searching for the word "bank" in the file containing past messages returned my bank account details. Sort code; account number; card number; bank name; the lot. Turns out I had sent them to a friend who needed to transfer money in 2010.

Typing "my address" bought up my home address, including postcode, as well as a flat I had rented in London. Searches for "my number" and "my email" found the correct details instantly.

Date of birth could be worked out via "happy birthday" posts. Relatives could be found by searching the friends list for my surname. Recent sessions logged the IP address of the computer used.

A criminal could even work out the exact times I would be out of the house for dinner or on holiday by looking at which events I was attending.

"There are all sorts of things you could do with that," says Tony Neate, an ex-policeman who spent 30 years in the force and now heads up the government-backed Get Safe Online campaign.

"I know from talking to people within the police and the Serious Organised Crime Agency that you are well on your way as a criminal to having everything you need to steal your identity."

He adds: "They can mirror who you are and then start looking at where they can actually make money from the information they have got ... The amount of information you have given me is 90 per cent there for someone to be able to [commit identity fraud]."

By intercepting post at my home address a fraudster could create a credit card or take out a bank loan in my name, according to Neate. The Facebook data alone may be enough to open a new bank account with my details to be used to transfer dirty money.

Neil Munroe, external affairs director at credit information group Equifax, says the information "ticks a lot of the boxes" needed to take out a credit card and fears people fail to adequately protect their profiles.

"A lot of passwords are still set as derivatives of family names, pet names, holidays, that type of thing," he says, warning that Facebook profiles can help criminals guess logins. The fact that so many people use one password for all their accounts is also a danger.

Munroe continues: "Intuitively everybody knows that that information should not be there. You would not write that information on a sandwich board and walk down your local street with it on. That is exactly what you are doing with Facebook."

There's more at the link.

This merely confirms my earlier opinion that Facebook is simply too much of a security risk to use safely.  The same applies to most other social media, IMHO.  I'll be staying off them, thank you very much - or, if I find myself forced to use them, I'll do so from a dedicated computer that does nothing else, and doesn't have links to my e-mail, address book, or other personal information.

Peter

3 comments:

Rolf said...

Poor security is just one of many reasons to not use FB. Its business model now is essentially data mining and resale. No, not worth it.

Julie said...

Interesting. I have just downloaded my FB data and there's no addresses, banking details, passwords or similar in it - mainly because I don't put that stuff on FB.

I think like everything - realise what you're posting and where and be sensible.

I like FB - I find it a great way to keep in touch with people and to informally keep up with their lives.

There is one thing I'm going to test with this data though and that is when you've deleted conversations whether they can be 'recovered' via this method.

Julie said...

Hi Peter, I've just run a check. If you delete your Facebook messages they are not shown when you download the data.

So if you have posted something to someone (e.g. your address / bank details - please spread this over 3 different communication mediums if you must / whatever) and you don't want anyone to be able to access it, delete your messages.