The European Network and Information Security Agency highlighted numerous security issues for social networking sites such as Facebook and MySpace. Although I was aware of most of the issues, some of them are a bit troubling.
I maintain an online presence through a blog, a photoblog, Facebook, flickr, LinkedIn and Twitter. One of the threats is digital dossier aggregation. The profile information that is maintained online can be downloaded and stored by third parties without personal consent. Sadly, secondary data is also often present. For example, there are statistics maintained on the sites that can be readily accessed. Recent visits, lengths of connections, comments. All of this secondary data can also be gathered and associated with a profile.
One that I had not really considered was face recognition. Several of my sites include my digital image. Not only can primary and secondary information be gathered but a dossier could be populated with a recent photo.
Phishing can become more sophisticated as a result. Through the collection of such data, phishing attacks can become far more effective by leveraging names of known contacts through existing social networks. In extreme cases, a phishing attack could become a whaling attack by selecting higher profile targets.
Another threat is profile-squatting and reputation slander through identity theft. I will often visit sites like Fake Steve Jobs or Fake Steve Ballmer. And the content is obviously fabricated. However, the ability to assume a digital identity and slander or profit from identity theft is a real threat. And it is not hard to do.
Governments are attempting to understand the potential issues associated with incidental disclosure of personal information. And put in place a regulatory structure to ensure privacy. A necessary action.
For example, I started receiving much higher than normal unsolicited email content from vendors. In one case, the content originated from a vendor that I work with quite closely. I did not understand why I was receiving the material from someone else in their company. The reason? Identity theft. Some salesperson, desperate to obtain contact information, dumped his business card roster into Jigsaw, a website that offers an exchange of contact information. Once that website had my identity information, they traded it to other sales people looking for an entry point into a corporation.
I went to the website with only one objective: to get my identity information removed. And guess what? I can”™t. I do not own the data. Some website has taken data from my business card and they can circulate that data freely without my consent. They have over 8 million individual names in their database.
Although the security issues are more prevalent with social networking sites, it can also happen if you hand out a business card.
Welcome to 1984.