Facebook claims that it has 400 million users. But are they well-protected from prying eyes, scammers, and unwanted marketers?
Not according to Joan Goodchild, senior editor of
CSO (Chief Security Officer) Online.
She says your privacy may be at far greater risk of being violated than you know, when you log onto the social-networking site, due to
security gaffes or marketing efforts by the company.
Facebook came under fire this past week, when 15 privacy and consumer protection organizations filed a
complaint with the Federal Trade Commission, charging that the site, among other things, manipulates privacy settings to make users' personal information available for commercial use. Also, some Facebook users found their private chats accessible to everyone on their contact list--a major security breach that's left a lot of people wondering just how secure the site is.
In two words, asserts Goodchild: not very.
On "The Early Show on Saturday Morning," Goodchild spotlighted five dangers she says Facebook users expose themselves to, probably without being aware of them:
- Your information is being shared with third parties
- Privacy settings revert to a less safe default mode after each redesign
- Facebook ads may contain malware
- Your real friends unknowingly make you vulnerable
- Scammers are creating fake profiles
Below is an edited transcript of the interview.
Is Facebook a secure platform to communicate with your friends?
Here's the thing: Facebook is one of the most popular sites in the world. Security holes are being found on a regular basis. It is not as inherently secure as people think it is, when they log on every day.
Certainly, there are growing pains. Facebook is considered a young company, and it has been around a few years now. It is continuing to figure this out. They are so young, they are still trying to figure out how they are going to make money. It is hard to compare this to others; we have never had this phenomenon before in the way [so many] people are communicating with each other--only e-mail comes close.
The potential for crime is real. According to the
Internet Crime Complaint Center, victims of Internet-related crimes lost $559 million in 2009. That was up 110 percent from the previous year. If you're not careful using Facebook, you are looking at the potential for identity theft, or possibly even something like assault, if you share information with a dangerous person you think is actually a "friend." One
British police agency recently reported that the number of crimes it has responded to in the last year involving Facebook climbed 346 percent. These are real threats.
Lately, it seems a week doesn't go by without some news about a Facebook-related security problem. Earlier this week, TechCrunch discovered a security hole that
made it possible for users to read their friends' private chats. Facebook has since patched it, but who knows how long that flaw existed? Some speculate it may have been that way for years.
Last month, researchers at VeriSign's iDefense group discovered that a
hacker was selling Facebook usernames and passwords in an underground hacker forum. It was estimated that he had about 1.5 million accounts--and was selling them for between $25 and $45.
And the site is constantly under attack from hackers trying to spam these 400 million users, or harvest their data, or run other scams. Certainly, there is a lot of criticism in the security community of Facebook's handling of security. Perhaps the most frustrating thing is that the company rarely responds to inquiries.
Do people really have privacy on Facebook?
No. There are all kinds of ways third parties can access information about you. For instance, you may not realize that, when you are playing the popular games on Facebook,
such as FarmVille, or take those popular quizzes--every time you do that, you authorize an application to be downloaded to your profile that gives information to third parties about you that you have never signed off on.
Does Facebook share info about users with third parties through things such as Open Graph?
Open Graph is a new concept for Facebook, which unveiled it
last month at its F8 conference. It actually is basically a way to share the information in your profile with all kinds of third parties, such as advertisers, so they can have a better idea of your interests and what you are discussing, so Facebook can--as portrayed--"make it a more personal experience."
The theory behind Open Graph--even if it has not implemented it--is its whole business model, isn't it?
That is the business model--Facebook is trying to get you to share as much information as possible so it can monetize it by sharing it with advertisers.
Isn't it in Facebook's best interest to get you to share as much info as possible?
It absolutely is. Facebook's mission is to get you to share as much information as it can so it can share it with advertisers. As it looks now, the more info you share, the more money it is going to make with advertisers.
Isn't there also a security problem every time it redesigns the site?
Every time Facebook redesigns the site, which [usually] happens a few times a year, it puts your privacy settings back to a default in which, essentially, all of your information is made public. It is up to you, the user, to check the privacy settings and decide what you want to share and what you don't want to share.
Facebook does not [necessarily] notify you of the changes, and your privacy settings are set back to a public default. Many times, you may find out through friends. Facebook is not alerting you to these changes; it is just letting you know the site has been redesigned.
Can your real friends on Facebook also can make you vulnerable?
Absolutely. Your security is only as good as your friend's security. If someone in your network of friends has a weak password, and his or her profile is hacked, he or she can now send you malware, for example.
There is a common scam called a 419 scam, in which someone hacks your profile and sends messages to your friends asking for money - claiming to be you--saying, "Hey, I was in London, I was mugged, please wire me money." People fall for it. People think their good friend needs help--and end up
wiring money to Nigeria.
A lot of Web sites we use display banner ads, but do we have to be wary of them on Facebook?
Absolutely: Facebook has not been able to screen all of its ads. It hasn't done a great job of vetting which ads are safe and which are not. As a result, you may get an ad in your profile when you are browsing around one day that has malicious code in it. In fact, last month, there was an
ad with malware that asked people to download antivirus software that was actually a virus.
Is too big a network of friends dangerous?
You know people with a lot of friends--500, 1,000 friends on Facebook? What is the likelihood they are all real? There was a study in 2008 that
concluded that 40 percent of all Facebook profiles are fake. They have been set up by bots or impostors.
If you have 500 friends, it is likely there is a percentage of people you don't really know, and you are sharing a lot of information with them, such as when you are on vacation, your children's pictures, their names. Is this information you really want to put out there to people you don't even know?
This interview, "Five Hidden Dangers of Facebook," was originally published on CBSNews.com.
Facebook flooded with fake profiles
Spammers and malware writers exploiting site to infect users
Up to 40 per cent of new Facebook profiles could be fictitious registrations created by spammers and malware writers to infect end users, security firm Cloudmark has warned.
Neil Cook, European head of technology services at Cloudmark, told
vnunet.com that research carried out by the firm revealed that between 20 and 40 per cent of new profiles on the popular social networking site could be bogus.
Cook explained that, once set up with a portfolio of fake profiles, virus writers encourage users to click on links to malicious sites by including them on postings on other users' walls or blogs.
Another tactic is to try and get users to visit their profile pages through friend requests or personal messages. The profile page then redirects visitors to a malware site.
"Social networks are very collaborative so it's great for spammers and virus writers to attack," said Cook. "As soon as social networking took off, so did the attacks."
Cook also predicted that SMS spam would eventually seep into the UK market, spreading from China and other Asian countries.
Elizabeth Armstrong Moore is a freelance journalist based in Portland, Ore. She has contributed to Wired magazine, The Christian Science Monitor, and public radio. Her semi-obscure hobbies include unicycling, slacklining, hula-hooping, scuba diving, billiards, Sudoku, Magic the Gathering, and classical piano. She is a member of the CNET Blog Network and is not an employee of CNET. 
