what are you really sharing

I’ve noticed a lot of people putting up quizzes on Facebook lately, I did one of my own as well (although I can’t seem to find it now…). I got to thinking the kind of information people put in a quiz…

What is the name of your childhood best friend?
Who is your favorite author?
What is the name of your first pet?

Do these sound like they are from a Facebook quiz? They do don’t they… the kind of semi-interesting semi-obscure mostly-harmless questions that people come up with on quizzes to sort out those who know them from those who don’t. Right?

Wrong.

These are security questions from a major internet transaction gateway which I’d guess about 50% of people reading this already use. Similar questions are asked by popular free internet email providers that probably more than 90% of you currently have.

Think about this from a security point of view… When you put together a quiz of Facebook you are deliberately posting the kind of information that you are probably ALREADY USING to secure some of your more sensitive internet based accounts.

Consider this scenario…

1) EvilHacker trundles through Facebook and sees your profile (because you haven’t made it non-public… oops… or maybe you’ve got a massive friends list…)
2) EvilHacker notices your quiz… EvilHacker works out the answers to your questions.
3) EvilHacker sees your email address in your info.
4) EvilHacker does the old Forgot Your Password? trick on your Hotmail/Gmail/Live account… He gets asked some weird question about your favorite author… Oops. Again.
5) With access to your email address, EvilHacker sees that you use Paymate, Paypal, eBay, etc etc et al.
6) Rinse, lather and repeat until you are utterly pwned.

Sounds a little far fetched and paranoid I am sure (aka That would never happen to little old me…) but consider this. There are entire ECONOMIES that run off the trade of any amount of personal information. The bad guys who buy this stuff up (or get cheap labour in third world countries to go out looking for it) then get it all together, work out who the best targets are (based on the quality of the information gathered) and go to work on breaking into as many of your accounts as they possibly can. These guys do this FOR WORK. It’s speculated that the economies of certain countries would take a serious battering if this activity ceased. It’s a deep rabbit hole.

It’s not just about using anti-virus.

Not convinced? Try these…
http://www.wired.com/threatlevel/2008/09/palin-e-mail-ha/
http://www.wired.com/threatlevel/2008/09/group-posts-e-m/
http://www.huffingtonpost.com/2008/09/17/palins-email-account-hack_n_127184.html

Selah.

Casey John Ellis

Casey John Ellis

founder bugcrowd and disclose.io, keynote speaker, security strategist

comments powered by Disqus
rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora