The term Identity Theft is usually assumed to be related to a malicious entity abusing someone’s credit information to commit financial fraud. This continues to be a big problem, but I’d like to extend the problem of identity theft in the social-networking aspects of so-called Web 2.0 applications. I feel this is an important topic of discussion because, unlike technical vulnerabilities that can be remediated with a software patch, the problem at hand is a design issue that poses significant risks to society’s ability to securely leverage the usefulness of social networking.
Before I go any further, I’d like to make it extremely clear that I am a big advocate of the emerging online social networking applications. I feel the new paradigms of sharing offered by some of the new services today have changed the way we interact for the better and I am personally delighted to be a part of this culture shift. I also feel that information security should act as an enabler by helping understand the security consequences in design and implementation in addition to a discussion of risk and remediation. In no way, shape, or form is the purpose of this post to suggest that the concept of social networking is ‘bad’ or ‘evil’. The purpose of this post is solely to (informally) discuss concerns in order to work towards a more secure way of dealing with these new systems.
I’d also like to deal with the most common knee-jerk reaction to the topic: people are the easiest target, so there is no point in even trying. It is true that people are the easiest attack vector, but I don’t think it helps the situation any when we start out thinking about the problem in this way. People are indeed an easy target, but it is the people’s self-interest we are trying to protect in the first place. The job of information security is to make it harder for people to do wrong things.
Getting back on topic: the fundamental problem with online social networking services is that they offer no way of authenticating a given identity. This may not appear to be a big issue at the moment, but I feel this will start (perhaps already has to a certain extent) to become a security nightmare and a social engineer’s dream come true. Our privacy, reputation, and identities are at stake.
The concept of the potential abuse of online social networking services is not new. I am not the first to talk about this topic. There has been a lot of discussion on this issue amongst the security community since the past few years. What I’d like to do here is enumerate a few concerns that I have been pondering over and to try and spread a little more awareness.
I’d like to select LinkedIn, the popular social networking service, to illustrate my concerns. Other social networking sites (examples: Digg, del.icio.us, Facebook, Flickr, Myspace, Orkut, Twitter, etc) are also similarly susceptible, but I’d like to stick to LinkedIn for the sake of brevity.
Assume that you are in the consulting business. In this situation, your client points of contacts are extremely important to you, and you probably wouldn’t want to share your address-book with your competitors. In this situation, your address book is your intellectual property that you want to share in a way with people such that it is mutually beneficial, and this is indeed what LinkedIn is all about. Unfortunately, this is hard to do in a secure way because LinkedIn does not offer a way to authenticate identities. At the most, LinkedIn relies upon email as the identity token - this is hardly a reliable (or even feasible) method of identification: people have multiple email addresses, some use their work email address, and some prefer to use their yahoo or gmail accounts. With the prior scenario in mind, an easy way to grab hold of a competitor’s address book on LinkedIn is to get them to ‘connect’ to you:
a. Think of an individual the target LinkedIn member may know.
b. Create an email address with the name of this individual using
email@example.com. You can go as far as creating a similar looking domain name of the company the individual may work at (
c. Create a profile on LinkedIn with the name and e-mail address of the individual.
d. Send an invitation to the target using the new LinkedIn account, and wait for the target to accept.
e. BONUS: Other people the target is connected to will notice that he or she has added a new friend (the individual you picked). Should the individual happen to be a mutual friend of these people, they will likely attempt to connect to your new LinkedIn profile, offering you even more details into the network of the target.
This example is specific to LinkedIn, but the idea applies to other services as well. This problem is likely to grow in severity as society becomes reliant on online social networking without a secure way of identifying whom it is you are networking with.
In order to be a part of a mutually beneficial social system, people have to share information with each other for the system to work. In this situation, the issue of keeping critical information a secret is the most obvious one. Given the sheer excitement and instant benefit of the social applications today, it is very difficult to maintain self-discipline on what sort of information you are about to give away.
Another issue I’m interested in at the moment is the potential of remote behavior analysis. For example, I’ve noticed that people who start looking for new jobs have a tendency to add a lot of new contacts on LinkedIn in a short period of time. This may be an issue for someone who doesn’t want his or her current employer to know. I feel that we are likely to see more formal methods of such types of behavior analysis in the near future. Perhaps this may sound a tad far-fetched at the moment, but I can easily imagine the feasibility of a system that would spider for information about you to make a prediction of your current thought processes: What types of bookmarks are you tagging (del.icio.us)? What types of photographs are you tagging (Flickr)? What are you doing these days (Twitter) ? What are your friends saying to you and about you (Facebook, Orkut, MySpace)? What kinds of things are you blogging about (this would work better for non-professional/personal blogs). You get the idea.
As the popularity of search engines has increased, people have increasingly become aware that it is hard to erase personal footprints from the Internet. As with the privacy topic, it is hard to maintain this sort of self-discipline on what you say or do amongst the social networking paradigm for the sheer and instant gratification of the perceived benefits - the risk of losing reputation is only realized later on. I am not immediately interested in this problem because I feel this is the most obvious side effect of the system in general. What I am more concerned about is the problem of unfair perception. For example, we all like to share funny YouTube videos, but as researchers to formalize the process of gathering data about an individual in this way, the result can lead some amount of unfair analysis. Perhaps one example of this idea is the brilliant wikiscanner (”list anonymous wikipedia edits from interesting organizations”). It can be argued that
wikiscanner can be used to accurately identify patterns that indicate an alleged conspiracy by a given company to edit or vandalize wikipedia for their benefit. But in all fairness, the situation is most likely to be a group of mischievous employees at the company.
Another problem at hand is that of someone assuming your identity whilst tarnishing your reputation. Even though there is no concept of a reliable identity mechanism in social networking applications today, people have a tendency to immediately believe what they read. For example, consider a scenario where someone sets up a profile on LinkedIn with your name to contain false information that is unflattering. This is likely to become a problem should a potential employer search for “your” profile.
One of the first things a malicious attacker will do before attacking the interests of a given organization or individual is to perform reconnaissance. Any publicly available information is a freebie and an aid to the attacker. The target in question can be an individual’s or an organization’s computer network and data. I invite you to check out Evolution, a fantastic (and free) tool that demonstrates how easy it is to obtain wealth of information about a given person or organization.
So what are we to do? I think the first logical step is to spread awareness and comprehend the side-effects of sharing information. We are sharing and communicating ideas like never before, and we need to comprehend the applicable risk-benefit ratios. From a technical perspective, something like OpenID seems to be a step in the right direction but I think we still need an agreeable solution to link an individual with a given token based identity.
From a philosophical perspective, maybe the cost of the popularity of an individual to token identification system will negatively impact the usefulness of the Internet culture that thrives on a sense of anonymity. Perhaps the emergence of these social network services will impact cultures around the world to open up and be more accepting, thus eliminating some of the concerns outlined above. Thoughts? Feel free to comment below.