The concept of identity theft has long been a theme of the science fiction world. Jack Finney’s 1954 classic novel, Invasion of the Body Snatchers (later adapted into film no less than four times), is driven by uncertainty over who is a clone — duplicated by an amorphous extra-terrestrial race — and who remains human.
While the consequences are certainly more mundane, and the means more temporal, online identity theft is presenting a similar real-world scenario that has the potential to affect anybody with Internet access.
Take, for example, the case of Fafi Merhi, who has now had parts of her profile “cloned” on Facebook twice. In both instances, Merhi says,the perpetrator created an account under a different name from hers while using all of her pictures. She or he then attempted to add her friends, and then afterwards their friends, on a few occasions (that she was told about) sending messages to contacts with ambiguous come-ons such as “Let’s get to know each other”.
As far as she knows, the culprit had no financial motivation, and was most likely a “friend” or “friend of a friend”, since they would have had to have access to her photographs and list of contacts. When a tech-savvy friend gained access to the impostor’s affiliated email address, Merhi disconcertingly discovered that it was [email protected].
“I don’t know what satisfaction they could get out of this. Honestly, I felt sorry for this person,” she says. Sympathy aside, the consequences of cloning can be dire, especially since reporting security breaches on Facebook is a notoriously slow process. Merhi’s first clone account was up for six months before it was taken down, despite repeated complaints submitted through Facebook’s online security form.
“Consider if Fafi was working in a government position,”says Michael Chaftari, CEO of newly launched Beirut-based social media monitoring company Fetch. “Someone could seriously damage her reputation.”
‘Social engineering’
While online risks are typically associated with malicious software, predators more and more target users’ anticipated behavior. This, says Chaftari, is known as “social engineering”, a cynical approach to information gathering that manipulates a user’s proclivity to trust. This can come in elaborate forms, from pop-up windows that pretend to be a trusted site asking for a user name and password, to rummaging through garbage bins in search of clues about passwords, social security details and other sensitive information.
In the case of Facebook, fake accounts are the most common channels for social engineering. If a beautiful, scantily clad woman with no mutual friends invites you on Facebook, it is best to resist the temptation. Same goes for shirtless men, or any stranger for that matter.
With faster speeds in Lebanon an eventual reality, the nature of Internet usage is bound to change. Online shopping, for example, will no doubt increase, as companies are finally able to adapt to the 21st century. But as the usefulness of the Internet in Lebanon increases, the need for vigilance will rise accordingly as sensitive information will be more frequently submitted online.
“Your online presence is no longer limited to communication,” Chaftari says. “People are using the Internet for more serious things.” While Facebook remains a largely light-hearted social platform, it can be the gateway for predators to access more sensitive information.
With this in mind, Executive enlisted the help of Victor Sawma, chief technology officer and partner at NetDesignPlus and a lecturer at Notre Dame University in Lebanon, to dissect the risks of Facebook to the everyday user and to explain what he or she can do to protect themselves.
What are the potential security risks of using Facebook?
Connecting people is the goal and soul that drives this giant social network. But with each of Facebook’s innovative new methods to communicate — such as the ‘Places’ application, which is essentially an opt-in online tracking device — come new risks to users’ security. That in mind, Facebook is constantly trying to create a balance between the two; these efforts have increased lately with the release of Google+, which was advertised as an antidote to Facebook’s security “minuses”, a key feature for users to make the migration to a new platform. Facebook’s response was a rash of security upgrades, such as more finely tuned privacy controls and increased default security settings.
From a security perspective, Facebook is prone to the following issues:
Identity integrity: This is directly related to when somebody else tries to pretend to be you or even to be your business and abuse your social relations. This is very common lately on Facebook, especially at the personal level. But it is also possible in some cases to see this taking place at the business level by somebody creating a business page for a competitor through a fake account for the sole purpose of harming the image of that business.
Personal/business privacy: This is related to information being leaked to other parties, whether directly or indirectly. It is not necessary for Facebook users to write about something for other people to know about it. The existence of a relationship, along with photos and status updates, are more than enough, in the majority of the cases, to allow other people to learn about information that you did not intend to tell them about.
Trust-relay issues: Facebook users are expected to trust applications — additional programs that exist within the structure of Facebook — by giving them access to personal, and sometimes sensitive, information. The majority of users do not realize how harmful this can be. For example, why would an application need access to publish on your wall if, at the same time, it claims that it will not tell anybody anything without your previous consent? The majority of users do not question why a certain application is requesting permission to certain information. They trust that application simply because it comes from Facebook.
What can users do to protect themselves?
The only protection that Facebook users can have is awareness. They have to learn what permissions are about, how the social network (called the social graph) of Facebook works, and so on. But is not an easy task, even for security experts. We end up, in many cases, uncovering potential risks that can rise from certain permissions or activities. As a start, Facebook users must consider giving permissions at the minimum level needed. They must also remember that giving an application permission once means that this application will gain access to the information that it needs (name, email, gender, friends list, etc.) and will still have that information even if that permission was denied later on. The majority of applications, if not all, save the information that it needs once permission is granted.
Is there any defense against cloning?
Any person (real or virtual) who knows or has access to your information can attempt to clone your profile. Who can access sufficient information to do so convincingly depends on your own privacy settings. Recent updates to Facebook’s privacy functions now mean that users have more control than ever over who can access their content; almost every facet of a Facebook user’s online presence can be designated as visible to either just their friends, friends of friends or be left completely unrestricted, visible to (and thus able to be ‘cloned’ by) anyone. Facebook also allows users to narrow this down further by creating specific lists of friends who are able to access their ‘wall’, profile updates and photographs. Users are also now able to embargo ‘tags’ in friends’ photos and restrict who can see any tags that they do choose to accept.
Where does Facebook go from here?
Facebook is currently undergoing dramatic changes at the security level, in general, and privacy and access control level in particular. A re-engineered news feed now allows users to better control what is being written about them by friends, family and other parties. Users are also now being asked about certain sensitive posts before Facebook posts them within their News Feed. Sawma believes this process will continue in the few coming months as Google+ pushes more and more into the social network market share.
