Your SlideShare is downloading. ×
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Facebook white paper2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Facebook white paper2011

701

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
701
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Social networkingusers exposepasswords onlineA CPP white paperNovember 2011
  • 2. Contents 1.1 Foreword 1.2 Background News 1.3 Research methodology 1.4 Key Findings - One third (32%) of Facebook profiles contain at least two pieces of personal information - Only one per cent of Facebook users had no data points on their public profiles - The majority of people do not trust all of their Facebook ‘friends’ - 18-24 year olds have, on average, more than 250 friends, but 81% say they do not trust all their Facebook friends - Women and those aged 65 and over are the most trusting of their Facebook friends - People are prepared to accept friend requests from a total stranger - 9% said they would accept an invitation from a stranger if they were good looking or popular - Six per cent of users allow anyone and everyone to see their entire profile - 15% allow everyone to see their date of birth which is a very common form of account verification - One in four people are logged into their Facebook account most or all the time - Only 14% said they had antivirus or security settings on their smartphones 1.5 Sample attacks 1.6 Conclusion 1.7 Safeguarding your identity 1.8 Further Information 1.9 About CPP Social networking users expose passwords online November 2011
  • 3. Introduction 2 1.1 Foreword During September 2011 Jason Hart, CEO of CRYPTOCard Europe, was commissioned by CPP to perform a review of 250 public Facebook profiles. The scope of the assessment was to highlight any information that could relate to an individual’s password and/or sensitive information and allow a potential targeted attack against the individual by means of social engineering. Passwords are based on the psychology behind what people choose as their passwords. People choose easy patterns on the keyboard, like ‘123456’ or ‘qazwsx’. In addition people choose their children’s names, birth dates and favourite sports teams. By understanding a person and looking at their Facebook account it is very easy to use their social network profile to potentially guess their password. However the password may have a small twist. Knowing that ‘ronnie’ is popular password for football fans, there may be different variants like ‘r0nnie’ or ‘ronnie1234’. During a period of four days, 250 public Facebook profiles were reviewed in order to see if any of the following information was present within the Facebook profile: - Interests - First school - Hobby - Pets name - Favourite football team - Dates of birth - Favourite football player - The user’s name - Childrens names - Maiden name The risk of having the above information publicly present within Facebook leaves the user at risk of being targeted by way of an attacker using the information to guess the user’s Facebook password or any other passwords that the user has in place for personal or business use. The two largest forms of risk are based around: - Password attacking by way of guessing (or ‘brute force’ attack), based on information uncovered within the public Facebook profile - Targeted social engineering attacks Social engineering is similar to hacking in that it is used to gain unauthorised access to systems or information to commit fraud, network intrusion and industrial espionage, identify theft or a simple disruption. However, social engineering is generally much easier than technical intrusion (hacking), as it does not require the technical know-how or background to be completed successfully. Rather, it simply involves using personal information. It is extremely difficult to prepare statistical evidence on the impact of such attacks on individuals because in most cases it will not be known when a social engineer has stolen information as the majority of attacks go unnoticed and unreported. Social networking users expose passwords online November 2011
  • 4. 3 1.2 Background News - Personal details of 10,000 people were stolen from their Facebook accounts and leaked online according to a hacking group, which claimed responsibility for the attack. The group, called Team Swastika, briefly posted the file which it said contained the user names and passwords of Facebook users.1 - Recently, a new software tool emerged which automates social engineering on Facebook. Unlike hacking software, this tool doesn’t demonstrate any new The personal theoretical security vulnerability. However, the automation of the social engineering process may have significant practical security implications as it details of can be launched by every script kiddie.2 - The number of people falling victim to identity fraud is rising, with employees10,000 people and members of the public not doing enough to protect themselves, experts have warned. A total of 80,000 cases were reported across the UK last year, were stolen with victims losing £1,190 on average.3 - Phone hacking fears dominate consumers’ security concerns about new from their ‘mobile wallet’ payment systems and are likely to hamper UK adoption of new ‘swipe and pay’ smartphone systems.4 Facebook - Mobile malware increased 273% in the first half of this year, with cross- platform Trojans dominating the landscape.5accounts and - 40% of mobiles lost or stolen in the last two years were not password protected.6leaked online - According to internet service provider, Talk Talk, more than eight million homes in the UK were targeted by cyber criminals in the first quarter of 2011, with problems ranging from bombardments by unwanted pop-ups adverts to full-scale attacks. The Office for National Statistics said that 77% of homes have internet access, but more than a fifth of users do not believe they possess the skills needed to protect their personal data.7 1 The Independent, ‘Hackers claim Facebook attack’, 19 October 2011 2 Contingency Today, ‘automated Facebook identity threat’, 20 September 2011 3 The Scotsman, ‘Victims of ID fraud losing £1,190- and it’s on the rise’, 20 October 2011 4 PRNewswire, ‘Intersperience research reveals mobile payment security concerns’, 14 October 2011-10-21 5 SC Magazine UK, ‘Mobile malware rockets this year’, 12 September 2011 6 Walletpop, ‘Would you lose everything if you lost your mobile phone?’, 13 September 2011 7 Managed Hosting News, ‘Cyber criminals targeted 8.5m UK homes in Q1’, 21 September 2011 Social networking users expose passwords online November 2011
  • 5. 4 1.3 Research Methodology ICM interviewed a random sample of 2,030 adults aged 18+ online between 9-11 September 2011. Surveys were conducted across the country and the results have been weighted to the profile of all adults. ICM is a member of the British Polling Council and abides by its rules. Further information at www.icmresearch.co.uk During September 2011, Jason Hart was commissioned by CPP to perform a review of 250 public Facebook profiles, to identify any information that could relate to an individual’s password and/or sensitive information that could allow a potential targeted attack against the individual. At no point during the research was any user’s data or online webmail accounts compromised. 1.4 Key Findings One third (32%) of Facebook profiles contains at least two pieces of personal information The audit of Facebook profiles showed that one third of Facebook profiles contain at least two pieces of personal information such as their mother’s maiden name, date of birth, hobbies or children’s names. 27% of the profiles contained three pieces of personal information and five per cent had more than six pieces of personal information. Only 1% of Facebook users had no data points on their public profiles. Because this information is often used as a password or as an answer to a security question when users look to reset their online account log-in details, we can conclude that people are freely adding and publicly showing sensitive information on their Facebook profiles that can be used against them to either guess or socially engineer their passwords. How much data was given by each profile? 5% 1% 12% 7% 1 piece 2 pieces 3 pieces 4 pieces 5 pieces 16% > 6 pieces No data 32% Source: Jason Hart based on 250 random Public Facebook profiles, 27% September 20111Social networking users expose passwords online November 2011
  • 6. 5 People revealing data on public Facebook profiles. 80 70 70 60 Individual pieces of data 50 50 40 40 30 60 20 20 10 10 0 0 First School Childrens names Interests Football team Employer Email Hobbies Maiden name Favourite player Pet’s name Dates of interest Source: Jason Hart based on 250 random Public Facebook profiles, September 20111 The majority of people do not trust all of their Facebook ‘friends’ Only 36% of Facebook users profiled trust all of their friends. As the most active social media users, those aged 18 to 24 are the most likely to publicise their personal information – and often to complete strangers. This age group has on average more than 250 friends but 81% say they do not trust all of their Facebook friends. Unsurprisingly the number of Facebook friends decrease with age: 18 to 24 year olds (261 friends), 25 to 34 year olds (196 friends), 35 to 44 year olds (120 friends), 45 to 54 year olds (93 friends), 55 to 64 year olds (65 friends), 65 and over (47 friends). Women and those aged 65 and over are most trusting of their Facebook friends. When we asked over 2,000 people if they had ever been a victim of identity fraud that originated from someone accessing details from any of their social media accounts (Facebook, Twitter and LinkedIn) 6% said they had, with 10% of 25-34 year olds claiming to have been a victim of identity fraud via their details having being taken from their profiles. Given identity fraud is a growing crime; this statistic is high and points to an area of vulnerability.Social networking users expose passwords online November 2011
  • 7. 6 The data below shows the percentage of people who trust all their Facebook friends 50 57% 46% 44% 40 38% 39%Only 36% of 30 33% Facebook 20 19% 23%users trust all 60 their friends 10 0 All respondents with an account with Facebook Male 18-24 45-54 Female 25-34 55-64 35-44 65+ Q: To your knowledge have you ever been a victim of identity fraud that originated from someone accessing details from any of your social media accounts (Facebook, Twitter and LinkedIn) 100 Yes No 91% 91% 93% 89% 89% 89% 88% 85% 80 60 40 20 10% 8% 6% 7% 7% 4% 3% 3% 0 All respondents with an account with Facebook Male 18-24 35-44 55-64 Female 25-34 45-54 65+ Social networking users expose passwords online November 2011
  • 8. 7 People are prepared to accept friend requests from a total stranger One third (33%) of people admit to accepting an invitation from people they have never met before with those aged 18-24 most likely to accept a friend request from a total stranger (50%). Men were more likely (37%) to accept friend requests from total strangers than women (29%) although both are surprisingly high. When we asked ‘why’, a small, but significant minority (9%), said they would accept an invitation from a stranger, if they were good looking or popular. Some Facebook users would also accept invitations simply so they can boost the number of friends they have on their profiles. 15% of Facebook users have not seen or spoken to many of their friends in over ten years. Q: Have you ever accepted a friend request on Facebook from a stranger i.e. someone you don’t know and have never met in real life? 100 Yes No 84% 80 76% 73% 70% 67% 63% 61% 60 50% 49% 37% 38% 40 32% 29% 27% 24% 20 16% 0 All respondents with an account with Facebook Male 18-24 35-44 55-64 Female 25-34 45-54 65+ Six per cent of users allow anyone and everyone to see their entire profile Over half (52%) of the social networkers questioned had received friendship requests from strangers. And despite media publicity around Facebook privacy and security, as well as identity fraud which shows no sign of abating, 6% allow anyone and everyone to see their entire profile. 15% of people allow everyone to access their date of birth which is a very common security question both for online accounts and for contact centre account verification.Social networking users expose passwords online November 2011
  • 9. 8 More concerning, however, is that ‘friend’ status means a lot more information is accessible. And with many users accepting friend requests from people they do not know and two-thirds of people not trusting all their Facebook friends, many users are potentially putting their identities at risk. This is surprising given the fact that 49% of people are aware that it is possible to use Half of personal information accessible on Facebook or other social networking sites in order to commit identity fraud. Indeed 55% of 18-24 year olds understand this, yet they are the people are most likely to have the most friends and least likely to trust them all. Separately, one in four people are logged onto the site all or most of the time. Given an aware increasing number of people access Facebook from their smartphones, we have a developing situation where they are leaving themselves open to impersonation should personal their handsets be lost or stolen. When questioned further on their handset security, only 14% said they had antivirus or information security settings on their smartphones. on social Q: Who can access the following on your Facebook profile? networking 80 80 72% 70 70 68% sites can be 60 60 62% 60% 54% used to 50 40 40 commit 30 30 27%identity fraud 20 20 10 12% 7% 8% 11% 17% 20% 11% 7% 13% 11% 8% 13% 13% 10 6% 0 0 Your status, photos Bio and favourite Family and Photos and videos Religious and and posts quotations relationships you’re tagged in political views 80 80 71% 70 70 67% 60% 60 60 54% 50 50 40 40 31% 30 30 25% 20 20 15% 12% 12% 10 10 7% 8% 9% 9% 6% 8% 5% 0 0 Birthday Permission to comment Places you check into Contact information on your posts Everyone Friends of friends Friends No one Social networking users expose passwords online November 2011
  • 10. 9 Examples of how personal details visible on Facebook can be used by hackers: Information type Potential Impact Rsk Factor First School First school is often used as a High - if used as the answer to security question on web-based web-based security questions applications and social networks Employer An attacker can use this Medium to high - risk to the information to conduct a social user and employer engineering attack to target the user’s employer Dates of Interest People that publicly display their High – as DOB is used by most date of birth are open to banks as one form of different forms of identity fraud identification Email Address This allows the user to become a Medium to high – based on if potential target to password the user is using a web based reset attacks and is a potential email address way to start spear phishing attacks Maiden Name People that publicly display their High – maiden name is used by maiden name also leave family most banks as one form of members open to different identification forms of identity threatSocial networking users expose passwords online November 2011
  • 11. 10 1.5 Sample Attacks The review concludes that people are freely adding sensitive information to their Facebook profiles without understanding the possible implications of the data being publicly available. There are several methods to attempt to determine a user’s password, based on information posted on the user’s social network profile. - Looking for answers to password reset questions. Users of social networks sometimes inadvertently reveal information that could be used to reset passwords either on the social network itself or on popular webmail services such as Google, Hotmail and Yahoo! Mail. For example, on a user’s Facebook profile you are likely to find information like mother’s maiden name, place of birth, the colour of their first car and so on. These questions are similar, if not identical, to many password reset functions of popular webmail or even online banking services. If an attacker can gain access to the user’s webmail People are account using this method, all it takes is using the password reset functionality on the social network to send a new password (or reset link) to the e-mail freely adding account, which becomes under the attacker’s control. - Guessing the password. It may seem very trivial to think about, but based on sensitive the public information you find on a user’s Facebook profile, you can guess the password. For example, try their favourite foods and drinks, family names, asinformation to well as hobbies and sports teams. - Creating a word list. There are a number of tools that are available on the their web that can collect keywords from a web page (Facebook profile) and put them into a wordlist. Once the list has been created the list can be used to Facebook conduct a ‘brute force’ password attack using the wordlist. The accuracy of the attack is largely dependent on how well the web application being targeted profiles employs any brute force prevention mechanisms. In order to show an example of an attack we have taken one of the profiles uncovered without during the audit and have seen if it would be possible for an attacker to undertake a password reset attack on this user’s webmail account.understanding The attack is based on a five step process: the serious - Uncovering webmail address on Facebook - Accessing the password reset webpage for the target webmail account implications - Forcing the webmail service to reveal the secret question of doing so - Reviewing the Facebook profile to find the answer to the secret question - Resetting the Webmail password In order to show the process in action, please refer to the screen shots below. At no point during the Facebook audit or writing this report was any user’s data or webmail accounts compromised. Social networking users expose passwords online November 2011
  • 12. 11 Step 1 A review of the Facebook audit showed that 9% of the profiles were publicly showing the user’s webmail email address: Step 2 Once an attacker has the e-mail address they are able to go to the webmail service based on the email address and click on the ‘Forgot your password?’ button. In this case we are using Hotmail as the example, but all webmail systems work in the same way: Step 3 The attacker is then requested to enter the email address of account is looking to reset:Social networking users expose passwords online November 2011
  • 13. 12 Step 4 Reviewing of the Facebook profile reveals the name of the favourite football team Step 5 The attacker is able to reset the password and gain full control and access to the users e-mail account. 1.6 Conclusion The review has recognised that people are putting themselves at great risk by not knowing the potential threats of having their passwords guessed or hacked. Social networks are designed to allow sharing of personal information with others. Without this sharing, social networks would cease to exist. However, protecting and controlling access to personal information does not seem to be a consideration for many users. The more information people share with the world the more valuable and vulnerable they are to hackers. People need to understand that their privacy and risk of being a target is mostly dependent on what they are posting on Facebook and other social networking sites, as well as how privacy settings are configured for each social network site they are a member of.Social networking users expose passwords online November 2011
  • 14. 13 1.7 Safeguarding your identity Danny Harrison is Head of Data and Identity Protection at CPP and offers the following advice to consumers to help protect them from data loss. Danny has over ten years’ experience and is responsible for CPP’s mobile phone assistance and insurance products Review your that insure against lost, stolen and damaged handsets, and also assists people in the event of lost data. privacy Danny is media trained across print and broadcast and is available for media interviews on the issue of data security and identity fraud. settings Users have to start considering ways of mitigating risks by ensuring that they use some basic guidelines around password creation and management. With social networks, - social personal responsibility of information and data is key. The following recommendations will help prevent password guessing and ‘brute force’ attacks against users. networks Having a unique password for every website: Suppose your Facebook account or webmail gets hacked and you have the same password for every website. This means thatgenerally have you have effectively compromised all the accounts that use that same password. Always create a unique password for each website you use. default Personal Information: Ensure that you are not posting any personal information on Facebook that can be used against you, for example date of birth, mother’s maiden name, settings that email address etc. Enforce Two factor authentications: A number of web based applications and social allow networking sites now provide users with the ability remove the need for static passwords and allow them to enable two factor authentication, thus totally removing the risks of the everyone to user’s password being compromised. view your Privacy settings on your social network profiles: Review the privacy settings on your social networks to ensure they meet your expectations. Social networks generally have default settings that allow everyone to view your information. information For further information please contact: Nick Jones Head of Public Relations CPPGroup Plc Holgate Park York YO26 4GA www.cppgroup.plc Tel: 01904 544 387 E-Mail: nick.jones@cpp.co.uk Social networking users expose passwords online November 2011
  • 15. 14CPP is an award-winning organisation:- Top 50 Call Centres for Customer Service, 2009, 2010 and 2011- Finalist in the Plc Awards, New Company of the Year, 2011- Winner in the European Contact Centre Awards, Large Team of the Year category, 2010- Finalist in the European Contact Centre Awards, Best Centre for Customer Service, Large Contact Centre of the Year categories, 2010- Finalist in the National 1.8 About CPP Sales Awards, Contact Centre Sales Team of the Corporate Background Information Year category, 2010 The CPPGroup Plc (CPP) is an international marketing services business offering bespoke- Finalist in the National customer management solutions to multi-sector business partners designed to enhance Insurance Fraud Awards, Counter Fraud Initiative of their customer revenue, engagement and loyalty, whilst at the same time reducing cost to the Year category, 2009 deliver improved profitability.- Finalist in the European This is underpinned by the delivery of a portfolio of complementary Life Assistance Contact Centre Awards, products, designed to help our mutual customers cope with the anxieties associated with Large Team and Advisor of the challenges and opportunities of everyday life. the Year categories, 2009 Whether our customers have lost their wallets, been a victim of identity fraud or looking- Named in the Sunday for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to Times 2008 Pricewaterhouse Coopers enjoy life. Globally, our Life Assistance products and services are designed to simplify the Profit Track 100 complexities of everyday living whether these affect personal finances, home, travel, personal data or future plans. When it really matters, Life Assistance enables people to live- Finalists in the National life and worry less. Business Awards, 3i Growth Strategy category, Established in 1980, CPP has 11 million customers and more than 200 business partners 2008 across Europe, North America and Asia and employs 2,300 employees who handle- Finalist in the National millions of sales and service conversations each year. Business Awards, Business of the Year In 2010, Group revenue was £325.8 million, an increase of more than 12 per cent over the category, 2007, 2009 and previous year. Highly Commended in 2008 In March 2010, CPP debuted on the London Stock Exchange (LSE).- Named in the Sunday What We Do: Times 2006, 2007, 2008 and 2009 HSBC Top Track CPP provides a range of assistance products and services that allow our business partners 250 companies to forge closer relationships with their customers.- Regional winner of the We have a solution for many eventualities, including: National Training Awards, 2007 - Insuring our customers’ mobile phones against loss, theft and damage- Winner of the BITC Health, - Protecting the payment cards in our customers’ wallets and purses, should Work and Well-Being these be lost or stolen Award, 2007 - Providing assistance and protection if a customer’s keys are lost or stolen- Highly Commended in the UK National Customer - Providing advice, insurance and assistance to protect customers against the Service Awards, 2006 insidious crime of identity fraud- Winner of the Tamworth - Assisting customers with their travel needs be it an emergency (for example Community Involvement lost passport), or basic translation service Award, 2006. Finalist in 2008 - Monitoring the credit status of our customers- Highly Commended in - Provision of packaged services to business partners’ customers The Press Best Link Between Business and Education, 2005 and 2006. Winner in 2007 For more information on CPP please visit www.cppgroupplc.com Social networking users expose passwords online November 2011

×