Do you add people whom you don’t really know in real life to your Facebook? If you don’t, then kudos to you, your profile is probably way more secure than those who do. But are you sure that the people you added are really who they say they are?
Security and Online Behavior Researcher, Nelson Neto, recently presented a way to befriend just about anyone on Facebook within 24 hours or less through a bit of social engineering. All you need to do is to mimic somebody on that person’s friend list. Create a new profile using that person’s name and begin sending friend requests to those on that person’s friend list. After accumulating enough ‘mutual friends’, your chances of getting accepted would be considerably higher.
To prove his point, Nelson chose the most difficult target of all: a web security expert whom, for the purpose of the experiment, he dubbed “SecGirl”. His goal was to trick SecGirl into befriending him within 24 hours.
He began by replicating the Facebook profile of SecGirl’s manager. Then, he got busy sending friend requests. Nelson sent 432 friend requests to the manager’s friends of friends, 436 to the manager’s friends, and 580 more to SecGirl’s friends.
Within seven and a half hours of making the account, he already had 73 friends – enough to make the account look legitimate. More importantly, he had SecGirl as a friend. It didn’t even take a quarter of the time that Nelson allotted for the project.
Interestingly, SecGirl still added the fake account even though she already had her manager on her friends list. It’s possible that she didn’t notice that the account was a duplicate or just assumed that her manager was creating a new account. Either way, her defenses were thoroughly breached and a stranger had managed to gain access to her profile information set to “Friends Only.”
Now, ask yourself, are you really sure about the people on your friends list? Could there be a thief, scammer, or hacker lurking within your inner circle? Have you personally verified that the people you added are really who they say they are?
But then, let’s be realistic, verifying each and every person we add to our friend list would be a bit troublesome. The best solution to such a problem is to simply upload and post only what we are willing to let the public see. Even if you have your profile set to ‘friends only’, treat it as if it’s visible to everyone and post only information that’s ‘safe’. We addressed asimilar topic last week by showing how your account is only as secure as your weakest friend. Never post information that could be used against you, such as your address, your mobile number, etc. Control the content you share and you’ll control your security.