Securing your personal information on the Internet is a very real concern among all who use it for banking, shopping, and billing. Recently online attackers have found a new place to gather personal information: social networking sites.
Social networks, like Facebook, Twitter, and MySpace, have surged in popularity in the last few years. There are approximately 300 million users on Facebook, which is equal to the population of the United States, and from February 2008 to February 2009, the number of registered Twitter users grew 1,382 percent to more than 7 million users. With this increased usage and sharing of personal information, people may be putting themselves at risk. When users on these sites include personal information, like addresses and phone numbers, they may believe it is only viewable by the people listed as friends; however, that is not always the case.
It is common for cybercriminals to stake out and stalk social network users and try to trick them into handing out personal information. Even when users are diligent about keeping profiles set at the strictest privacy settings and carefully avoid clicking on suspicious links, personal information can still get into the wrong hands. According to the Internet Crime Complaint Center — a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance — there have been 3,200 reported account hijackings since 2006. The Center also received more than 72,000 complaints in 2008 about Internet fraud that led to further investigation by law enforcement. By using social networking sites, you are potentially putting yourself and your private information at risk.
Cybercriminals and others who want your information all have different goals. Some want people to navigate to sites where the attackers are paid to send traffic; others want users to enter personal information, like passwords, addresses, and social security numbers; while others want to completely take control of identities and entire computers.
A common ploy by attackers is to send a message that looks it like came from a friend on the social network. Many times the message includes a link to what appears to be a familiar and reputable Website; however, the link actually leads users to a third party application with no affiliation to the recognized site. Cybercriminals hope users are fooled into clicking the false link and then entering personal information, like usernames and passwords, into the site. Commonly the sites also install malicious software on computers, which then sends the same message to your friends.
In one popular Facebook scam using this method, the online attackers pose as a friend and pretend they are out of the country and in need of money. The message asks all the friends within the social network to click on a link and wire money to a specific destination. At this point, the cybercriminals hope that users will enter bank account numbers, social security numbers, passwords, and other personal and identifying information.
A similar type of attack happened to Twitter earlier this year. Many of the site’s users clicked on links in emails and other postings that they believed linked to Twitter; however, the users were led to a third-party site that looked similar to Twitter’s interface. Here users typed in their usernames and passwords, essentially handing cybercriminals all sorts of information that can be used in malicious ways.
Once online attackers collect your personal information from social networking sites, they have access to and can target all of the friends associated with that account. The average Facebook user is said to have 120 friends, which gives cybercriminals an almost endless number of potential victims.
After cybercriminals obtain your username and password for one site, they then try that same combination at many other sites. Oftentimes trying multiple sites with the same username/password combination is a success, since many of us use the same password for multiple accounts. By using the same password at many sites, you are putting yourself at risk.
Security experts believe having one password for all applications is very risky. They liken it to having the keys to a kingdom; if attackers get a hold of one password, then they are able to take control of your entire online (and, by extension, offline) identity. Experts suggest having unique passwords for accounts that contain a lot of personal information, like email accounts and bank accounts, and to change them often. It is fine to reuse a few different passwords for sites that do not contain a lot of personal information, like a subscription to a newspaper or a job board. Additionally, the creation of a password is very important. Passwords should be a mix of upper and lowercase letters, include numbers and special characters, and do not use a word that can be found in any dictionary.
Another way users can protect themselves is to adjust the privacy setting on all applications to the strictest available. Do not allow your social network profiles to be viewable by anyone besides your friends. And if your friends on these sites are not trusted people, then do not include such personal information like addresses, phone numbers, and other identifying features.
Users should also be careful of what links to click. If you receive a message from a friend and it seems suspicious, then contact that friend directly. Do not click on any links in messages or postings without knowing definitely that the site is safe. When in doubt about links go to the source directly and navigate to the appropriate information.
Social networking sites are aware of online attackers and many sites may have their own security in place. For example, Facebook users can become fans of ‘Facebook Security’ to receive updates and information from on how to protect their identities on the site. Additionally, if Facebook notices an account that is sending an unusually large number of messages, they may freeze that account. Even with security in place by the sites, users should still be aware of the potential threat of stolen information. It is still the responsibility of users to take steps to protect themselves.