4 minute read
SECURITY
from 2009-06
by Hiba Dweib
I Stole My Friend’s Online Identity
Even if you haven’t yet jumped on the social-networking bandwagon, you’re not safe. Here’s how to keep someone from creating an account in your name. By Matthew D. Sarrel
Advertisement
I’m sure we’re all familiar with Robert Louis Stevenson’s 1886 tale The Strange Case of Dr. Jekyll and Mr. Hyde. It centers on a series of odd occurrences involving the kind and responsible Dr. Henry Jekyll and his hidden side, the morally bereft Mr. Edward Hyde.
Anyone wanting to bring out his evil side can easily do so online. Remember, on the Internet no one knows you’re a dog; you can be whoever you wish. Isn’t that fun?
Flip over the coin and it might no longer be fun for you. If you can be whoever you wish, then so can everyone else. Everyone can be anyone and do anything—isn’t that why we love the Web so much?
I’ve written a lot about the problem of identity theft—the kind in which your financial identity in the real world gets stolen— but this time I’m talking about protecting your online identity. Your fragile and public online identity is protected haphazardly at best. Web 2.0’s collaborative nature and social networking’s ease of access have seen to that. Compromising these accounts is a fairly trivial feat. A criminal could break into your account and misrepresent your online persona, damaging your reputation, exploiting the trust relationships with your friends and colleagues, and leaving you to wake up in the morning as Dr. Jekyll did—with a big mess of unknown origin to clean up.
no Hacking necessary
Guess what? It’s even easier if you don’t yet have an online identity. A person doesn’t need to hack your existing account and can just set up a fraudulent one to begin with. This ought to light a fire under you to create those profiles, if only to lock them down. Fifteen years ago the threat was domain squatting; now the threat is social squatting. If you’ve never signed up for sites like Blogspot, Facebook, LinkedIn, MySpace, and Twitter, then it’s disturbingly easy for a miscreant to do so for you. And then there’s no telling what kind of other, more malicious activities your co-opted identity can serve as a jumping-off spot for.
To demonstrate how easy it is to take
over an online identity, I created a series of accounts (Live.com, LinkedIn, and Facebook) in someone else’s name. I obtained basic info about her from a public document search on the Web to make the profiles look more realistic. About a minute after joining Facebook, I (she) had already started receiving friend invitations. By the end of the day, I (she) had amassed a nice little following. I even exchanged heartfelt greetings on her account with some of my (her) new friends. Despite the fact that I’d larded her profiles with clearly false information, no one expressed the slightest suspicion.
This was little more than a proof-of concept exploit, although I did enjoy my brief stint as a woman. From here, the attack landscape is pretty broad. I could do anything from posting an embarrassing profile or status to using that profile as a way to attack others. I could use my fake profile to send malware masquerading as a Facebook “gift” app. And I could learn more about my victim and her friends, enough to seriously mess with their lives. For example, I could go rob someone whose Facebook status says he or she is on vacation. Even easier, I could use PayPal’s Pay Me or Spare Change Facebook apps to ask friends for money.
How does this happen, and why is it so easy? And does a Web site have a responsibility to its customers to keep them safe? Of course, Facebook and MySpace argue that they just built the playground and that it’s not their job to nanny us, but I take exception to that. They should have made safe playgrounds—but in social networks, it’s up to us to ensure our own safety. n
Keeping Yourself safe
1. Claim your name with every new social network that comes out. Even if you leave a blank profile, you are at least protecting that username and perhaps part of your online identity. 2. Monitor social networks for your name. Build custom queries on search engines and check up on them monthly. Start with SocialMention, where you can save your search as an RSS feed, for quick notification if your name shows up somewhere it shouldn’t. 3. When you do find someone using your name, read the profile carefully to make sure the person is in fact an imposter. Then immediately contact customer service and request that the fraudulent profile be taken down. Don’t contact the owner of the fraudulent profile. The last thing you need to do is add fuel to the fire. 6. Facebook safety: As a general rule, never follow an external link or grant a Facebook app full access to your profile. 7. Use out-of-network means to verify invitations to connect. Try to contact the invitee through another e-mail account to ask if the invitation is indeed legit.—MDS
