Back in January, friends of Seattle, Wash., resident Bryan Rutberg were stunned when they read e-mails from his Facebook account accompanied by his photo. In the messages, Bryan appeared to claim he was in big trouble and that he needed their help.
At least one friend wired him money. However, Rutberg wasn’t really in trouble and was in no need of assistance — his Web page had been hijacked by cybercriminals.
This is just one of the cyberscams that have hit Facebook, the world’s leading social networking site.
Facebook’s size and rapid rate of growth attract cybercriminals the way honey attracts flies. However, it’s not only everyday users who are at risk. Because Facebook has tie-ins with several vendors offering software to the business community, corporations are at risk too.
Social networking sites are vulnerable to cybercriminals because they need to be open in order to attract more members. That sometimes runs in opposition to the general philosophy of data security, and that makes it difficult to secure social networking sites.
Other Facebook Scams
In cases like Rutberg’s, a criminal tricks a user into giving up personal information like passwords (a practice known as “phishing”), then uses that info to gain control of the person’s account. From there, the phisher can make all sorts of plays — convince that person’s friends to send money, for instance, and intercept it once it’s sent. Between April and May of this year alone, there were three major phishing attacks on Facebook involving large numbers of users.
February saw spammers hijack the “5,000,000 against the new version of Facebook” page on the Facebook site. They sent various “spamvertisements” to the page’s more than 1.5 million members.
Malware authors have also struck at Facebook — since last year, the Koobface worm and at least one variant have repeatedly hit the site.
Why Social Networking Sites?
Facebook is certainly not alone in this. LinkedIn, a social networking site for professionals, has been hit too. MySpace used to get hit quite regularly — until Facebook’s growth left it in the dust.
Why have social networking sites become such prime targets for hackers, malware authors and other cybercriminals?
One reason is that people love them. Social networking sites account for 10 percent of all the time people spend on the Internet, according to research firm Nielsen Online. Two-thirds of people on the Internet (the digital universe, so to speak) in the U.S,. Europe, Brazil and Australia visit social networking or blogging sites.
The numbers are staggering: the so-called digital universe totals almost 156 million people in the U.S., Nielsen spokesperson Michelle McGiboney told TechNewsWorld. In the UK, more than 29 million people go on the Internet; and in Brazil the number is more than 25 million. If two-thirds of these people visit social networks, the numbers are just too large for many scammers to ignore.
Gotta Keep Growing
Another reason cybercriminals love social networking sites is that these sites have to remain easily accessible in order to grow their memberships.
“It’s critical to a social networking site’s success and popularity to let members share data and Web tools and dynamic gadgets,” Ryan Barnett, director of application security research at Breach Security, told TechNewsWorld.
Security experts generally prefer the exact opposite — they would rather make it difficult for people to get into a network.
“From a security perspective, however, this increased flexibility means increased risk of abuse of functionality.”
Can these conflicting forces be resolved and social networking sites made safe?
The Path of the Righteous Is Hard
Facebook has been working to secure its site, spokesperson Barry Schnitt said. In addition to developing technologies to prevent, detect and reverse attacks on users, it works with security organizations like the Microsoft Malware Protection Center.
It also runs user education campaigns on its blog and promotes secure practices on its security page.
“The combination of these efforts have limited the number of Facebook users impacted by security issues to less than 1 percent since the founding of the site more than five years ago,” Schnitt told TechNewsWorld. “By way of comparison, in 2005, the latest statistics provided by the Department of Justice, 29.5 of every 1,000 U.S. homes, or 30 percent, were burglarized.”
However, it still hurts to be part of the less than one percent of Facebook users nailed by a security issue. Ask Rutberg — he was locked out of his account for a week, and his friend lost the $1,200 he had wired to the cybercriminal.
Safe Social Networking Practices for Business
Enterprises are leveraging Facebook through its tie-ins with software vendors — such as online CRM vendor Salesforce.com and IBM’s Lotus Notes division — in order to build customer communities and, hence, loyalty. However, that’s a two-edged sword.
“It makes sense to get close to customers, but you’re also potentially opening yourself up for infection,” Graham Cluley, senior technology consultant at antivirus vendor Sophos, told TechNewsWorld. Companies should include security solutions in their IT infrastructures that scan every Web page or link users’ access to see if it is malicious, he said.
Corporations should also educate users not to use the same password for all sites they log in to, Cluley recommended, and to devise strong passwords.
Being Open Is the Key
Though asking for a user name/password combination is a widely familiar security system among computer users, it’s not necessarily the most effective.
“That combination is clearly not secure and can be broken in many ways,” Fran Rosch, senior vice president at VeriSign, told TechNewsWorld.
Facebook’s Schnitt disagrees. “User name and password are an industry solution, and billions of people use this method of authentication every day,” he said, adding that Facebook implements additional security measures such as blocking access after too many tries to guess a password.
Still, social networking sites don’t want to look at more strict and more complex security measures because they want to grow their user bases, according to Rosch. “We’ve had conversations with Facebook and MySpace and they tell us ease of use and openness mean much more to them than security,” he said.
That’s the point, Facebook’s Schnitt said. “Facebook is a tool for connecting and sharing with others; the very purpose of the site is to communicate and share.”
Using Two-Factor Authentication
Social networking sites should use two-factor authentication, VeriSign’s Rosch said. This consists of something you have and something you know.
The something you have would be your computer or mobile phone, which would host an agent from VeriSign that authenticates the user’s device. The password is the other part of the equation.
VeriSign offers two-factor authentication through its VeriSign Identity Protection (VIP) service. The software agent can be set to expire at a particular time, so the user can upgrade his computer, and it cannot be stolen by hackers. “It will break if someone tries to steal it over the Internet,” Rosch said.
Getting to Know You
Another option is offered by Purewire, which secures business and social interactions on the Internet. Purewire has set up PurewireTrust.org, a free online reputation checking service that lets users check and verify the identities of other people online. Established in March, this is still in beta.
PurewireTrust.org stores information on people gleaned from their Web identities and automatically cross-checks data from different sources to verify its accuracy, Steve Webb, research scientist for Purewire and PurewireTrust.org, told TechNewsWorld.
PurewireTrust.org has been integrated with the Facebook Connect single sign-on service to improve security for users who are Facebook members. “We know about hundreds of thousands, if not millions, of people through their e-mail addresses, and the identities of thousands of people who sign on through Facebook Connect,” Webb said.
“Somebody needs to be the clearinghouse of online identity, and we’re trying to be the Google of online identity.”