Social Networking

The spread of social networking is making it easier for fraudsters to steal your identity- so keep your family's names to yourself

Most information and IT security departments have spent many years and countless millions protecting their corporate IT facilities from hackers. Yet while they're barricading the electronic walls of their organization, they've often overlooked the human factor, which frequently comes in the form of polite, charming people with the ability to extract vital personal details from employees and consumers.

These chameleon characters blend in easily and often go by the nickname of 'social engineers'. As the world-renowned hacker Kevin Mitnick explains in the book The Art of Deception: Controlling the Human Element of Security: "It is human nature to trust our fellow man, especially when a request meets the test of being reasonable.”

A clever social engineer may strike up an apparently innocent conversation at a bus stop with a lady with her dog. A couple of banal questions later she's released the name of her first pet. Over time the fraudster may manage to elicit further snippets of information until he/she has the passwords for banking and other personal finances, enabling impersonation, identity cloning and, finally, account takeover.

It's good to share. or is it?

In the past few years the task of such criminals has been made a whole lot easier with the rise of social and business networking sites such as Facebook, MySpace, Bebo and LinkedIn. As their popularity booms, an increasing number of people are cataloguing, indexing and archiving the details of their lives on the web.

Many of us, it seems, are quite happy to share data online that we wouldn't tell anyone face-to-face. On Facebook there is even a quiz entitled: "How well do you know me?” It encourages users to complete a questionnaire to test their 'friends' by asking them questions such as: "What is my mother's full name?” "What was the name of my first pet?” "What are the names of my children?”

By cruising through various sites, it's all too easy to build up an impressive understanding of an individual's personal profile, stopping off at Facebook for educational details, before moving on to LinkedIn to pick up career history.

Which brings us back to your mother's maiden name. We're all aware of the questions we get asked either online or over the phone to access a bank or other financial service. These may well include your mother's maiden name, date of birth, memorable address, memorable date and pets' names. And passwords, as every fraudster and opportunist knows, often relate to personal details such as loved ones' names, birthdays and so on. all of which may be available online. It's low-hanging fruit just waiting to be plucked by a cunning cyber-thief.

Keep it to yourself

In the same way that those using cashpoints have grown accustomed to guarding their PINs from prying eyes, so employees and consumers must learn to exercise caution with personal account and log-in details. The financial services industry, regulators and professional services firms all have a role to play in educating customers on the importance of personal security.

There has been some progress, however. Many online banking websites remind customers to keep their password safe and use only trusted computers. However, much more is needed, possibly in the form of partnerships with the social networking sites themselves. Employers also have a role to play in keeping criminals at bay, and there are more cases of employees being disciplined for Facebook misuse.

The hunting ground of the social engineer may have shifted from the bus stop to cyberspace. But by making people more aware of the value of personal data - no matter how apparently innocuous - perhaps we'll all learn the old-fashioned truism that some things are just meant to stay private.

By Francis Beaudoin, KPMG in Canada (fbeaudoin@kpmg.ca)