The term Identity Theft is usually assumed to be related to a malicious entity abusing someone’s credit information to commit financial fraud. This continues to be a big problem, but I’d like to extend the problem of identity theft in the social-networking aspects of so-called Web 2.0 applications. I feel this is an important topic of discussion because, unlike technical vulnerabilities that can be remediated with a software patch, the problem at hand is a design issue that poses significant risks to society’s ability to securely leverage the usefulness of social networking.
Before I go any further, I’d like to make it extremely clear that I am a big advocate of the emerging online social networking applications. I feel the new paradigms of sharing offered by some of the new services today have changed the way we interact for the better and I am personally delighted to be a part of this culture shift. I also feel that information security should act as an enabler by helping understand the security consequences in design and implementation in addition to a discussion of risk and remediation. In no way, shape, or form is the purpose of this post to suggest that the concept of social networking is ‘bad’ or ‘evil’. The purpose of this post is solely to (informally) discuss concerns in order to work towards a more secure way of dealing with these new systems.
I’d also like to deal with the most common knee-jerk reaction to the topic: people are the easiest target, so there is no point in even trying. It is true that people are the easiest attack vector, but I don’t think it helps the situation any when we start out thinking about the problem in this way. People are indeed an easy target, but it is the people’s self-interest we are trying to protect in the first place. The job of information security is to make it harder for people to do wrong things.
Getting back on topic: the fundamental problem with online social networking services is that they offer no way of authenticating a given identity. This may not appear to be a big issue at the moment, but I feel this will start (perhaps already has to a certain extent) to become a security nightmare and a social engineer’s dream come true. Our privacy, reputation, and identities are at stake.
The concept of the potential abuse of online social networking services is not new. I am not the first to talk about this topic. There has been a lot of discussion on this issue amongst the security community since the past few years. What I’d like to do here is enumerate a few concerns that I have been pondering over and to try and spread a little more awareness.
I’d like to select LinkedIn, the popular social networking service, to illustrate my concerns. Other social networking sites (examples: Digg, del.icio.us, Facebook, Flickr, Myspace, Orkut, Twitter, etc) are also similarly susceptible, but I’d like to stick to LinkedIn for the sake of brevity.
Intellectual Property.
Assume that you are in the consulting business. In this situation, your client points of contacts are extremely important to you, and you probably wouldn’t want to share your address-book with your competitors. In this situation, your address book is your intellectual property that you want to share in a way with people such that it is mutually beneficial, and this is indeed what LinkedIn is all about. Unfortunately, this is hard to do in a secure way because LinkedIn does not offer a way to authenticate identities. At the most, LinkedIn relies upon email as the identity token - this is hardly a reliable (or even feasible) method of identification: people have multiple email addresses, some use their work email address, and some prefer to use their yahoo or gmail accounts. With the prior scenario in mind, an easy way to grab hold of a competitor’s address book on LinkedIn is to get them to ‘connect’ to you:
a. Think of an individual the target LinkedIn member may know.
b. Create an email address with the name of this individual using firstname.lastname@yahoo.com or firstname.lastname@gmail.com. You can go as far as creating a similar looking domain name of the company the individual may work at (@applee.com, @app1e.com, etc).
c. Create a profile on LinkedIn with the name and e-mail address of the individual.
d. Send an invitation to the target using the new LinkedIn account, and wait for the target to accept.
e. BONUS: Other people the target is connected to will notice that he or she has added a new friend (the individual you picked). Should the individual happen to be a mutual friend of these people, they will likely attempt to connect to your new LinkedIn profile, offering you even more details into the network of the target.
This example is specific to LinkedIn, but the idea applies to other services as well. This problem is likely to grow in severity as society becomes reliant on online social networking without a secure way of identifying whom it is you are networking with.
Privacy.
In order to be a part of a mutually beneficial social system, people have to share information with each other for the system to work. In this situation, the issue of keeping critical information a secret is the most obvious one. Given the sheer excitement and instant benefit of the social applications today, it is very difficult to maintain self-discipline on what sort of information you are about to give away.
Another issue I’m interested in at the moment is the potential of remote behavior analysis. For example, I’ve noticed that people who start looking for new jobs have a tendency to add a lot of new contacts on LinkedIn in a short period of time. This may be an issue for someone who doesn’t want his or her current employer to know. I feel that we are likely to see more formal methods of such types of behavior analysis in the near future. Perhaps this may sound a tad far-fetched at the moment, but I can easily imagine the feasibility of a system that would spider for information about you to make a prediction of your current thought processes: What types of bookmarks are you tagging (del.icio.us)? What types of photographs are you tagging (Flickr)? What are you doing these days (Twitter) ? What are your friends saying to you and about you (Facebook, Orkut, MySpace)? What kinds of things are you blogging about (this would work better for non-professional/personal blogs). You get the idea.
Reputation.
As the popularity of search engines has increased, people have increasingly become aware that it is hard to erase personal footprints from the Internet. As with the privacy topic, it is hard to maintain this sort of self-discipline on what you say or do amongst the social networking paradigm for the sheer and instant gratification of the perceived benefits - the risk of losing reputation is only realized later on. I am not immediately interested in this problem because I feel this is the most obvious side effect of the system in general. What I am more concerned about is the problem of unfair perception. For example, we all like to share funny YouTube videos, but as researchers to formalize the process of gathering data about an individual in this way, the result can lead some amount of unfair analysis. Perhaps one example of this idea is the brilliant wikiscanner (”list anonymous wikipedia edits from interesting organizations”). It can be argued that wikiscanner can be used to accurately identify patterns that indicate an alleged conspiracy by a given company to edit or vandalize wikipedia for their benefit. But in all fairness, the situation is most likely to be a group of mischievous employees at the company.
Another problem at hand is that of someone assuming your identity whilst tarnishing your reputation. Even though there is no concept of a reliable identity mechanism in social networking applications today, people have a tendency to immediately believe what they read. For example, consider a scenario where someone sets up a profile on LinkedIn with your name to contain false information that is unflattering. This is likely to become a problem should a potential employer search for “your” profile.
Reconnaissance.
One of the first things a malicious attacker will do before attacking the interests of a given organization or individual is to perform reconnaissance. Any publicly available information is a freebie and an aid to the attacker. The target in question can be an individual’s or an organization’s computer network and data. I invite you to check out Evolution, a fantastic (and free) tool that demonstrates how easy it is to obtain wealth of information about a given person or organization.
So what are we to do? I think the first logical step is to spread awareness and comprehend the side-effects of sharing information. We are sharing and communicating ideas like never before, and we need to comprehend the applicable risk-benefit ratios. From a technical perspective, something like OpenID seems to be a step in the right direction but I think we still need an agreeable solution to link an individual with a given token based identity.
From a philosophical perspective, maybe the cost of the popularity of an individual to token identification system will negatively impact the usefulness of the Internet culture that thrives on a sense of anonymity. Perhaps the emergence of these social network services will impact cultures around the world to open up and be more accepting, thus eliminating some of the concerns outlined above. Thoughts? Feel free to comment below.
1. how do we solve the identification problem in real-life social networks (both formally & informally)?
2. are those solutions applicable to the virtual, on-line world?
two ways, one formal & one informal, that i can immediately think of are central authority & web-of-trust.
central authority: you go to an age-restricted club and the bouncer asks to see your ID. why? because he trusts the state government to verify what you look like and how old you are. is it a perfect system? no, as proven by 911 and the driver license pranks on youtube, but it works well enough.
web-of-trust: you are meeting up with friends at a bar and a friend walks in with someone. you don't recognize the person, but you know your friend is very selective about who she socializes with, so you have no hesitancy greeting her and her guest. this compared to another friend who later walks in with someone, but she shows no discretion in picking up guys (like stray dogs), so you keep your distance (socially & physically).
or maybe you meet someone randomly and in talking learn you have a mutual acquaintance. the next time you speak to the mutual acquaintance you ask them about the person you met. (this is like paypal's verified/unverified user where you have limited privileges as an unverified user but can become verified at any time.)
we don't have government issued email addresses (except for government employees), but is there something similar (besides certificate authorities), though maybe not "official"?
for web of trust we have PGP, but what about applying those concepts to the web. maybe something as simple as a user's OpenID provider publishing an xml document listing OpenIDs and associated names that the user has personally verified and trusts. maybe have an aspect like OpenID where you are queried before you release your trusted list and you can choose to release a subset (you don't want your friend bob to know you are still friends with his ex-wife).
MySpace's repudiation system would work if there was a strong enough incentive, but when the goal is to have the most friends, who cares about validating usernames (everything to gain & nothing to lose).
i believe the issue at hand is whether internet users want to be identified at all. to answer unknowns questions:
1. there is no need or desire to solve the "problem". i'm fangman, that's all you need to know. perhaps we'll meet again someday, perhaps not. and that's OK by me, and likely by you.
2. understanding #1, this question is moot.
in certain cases, internet users need to be identified and it is handled in an appropriate manner, creating an identity for that person (e.g. banks, insurance, travel). in other cases, they do not (e.g. the core of the person - everything personal actually interesting about them- religious affiliation, hobbies, friends, location, etc. - AKA social networking sites). i’d argue that the success of online social networks has thrived because of the anonymity (the same can be said for the internet in general), it allows people to live out their fantasies in a semi-real environment. besides, those using such sites most often don’t really *know* people they’re linked with or have listed as their friends. if you want proof of this, look up Jenna Jameson’s friends on MySpace, then become one yourself.
that said, i understand nitesh's argument. sure, there are people that could social engineer others into "linking in" to a fake profile, and other shenanigans, however most humans operate ethically and honestly, and wouldn't even make this attempt, as for most there is not much to gain in doing so. you’d have to be a really bitter and vindictive person to go creating negative online persona’s of a person. seek counseling if that is you.
on the flip side, much is to be gained by someone creating a fake “positive” identity of themselves on line, so when that job recruiter looks them up they shine. in my experience, most people are narcissistic, or at least believe is ethical or “less wrong” to create a positive persona of themselves. i offer up any autobiography as proof of this, as well as most people’s resumes.
finally, it's easy for us to forget that there are many, many people in the world who do not use the internet (hard to believe, huh?). do they have identities, or are they meaningless?
btw- i've never seen Nitesh in a suit and tie, so I'm not even sure he posted this.
>btw- i've never seen Nitesh in a suit and tie, so I'm not even sure he posted this.
Hey thanks for the comment(s) Nick! :-D
Hey Nitesh,
thanks for this interesting article.
I'd like to add the problem with sophisticated identity theft. If you are a bad guy, a phisher if you want, and you need new victims ... where do you search first? Social Networking Sites ...
Because you get everything you need there for free: emails, social relationships, addresses etc ...
The problem what I see in this case: With social relationships you can persuade a potential victim much more to click on your malicious link ...
"Hey Nitesh,
its me, Denver, what you think about this new program ... John already checked it and said it is nice! Have Fun!
Denver"
You know what I wanted to say?