Fact, fiction and the Internet

Authentication using public [mis]information

David Harley, BA, CISSP, FBCS, CITP is director of Malware Intelligence at ESET and a distinguished and frequent contributor of intelligent commentary on new developments in information assurance. I am grateful to him for his kindness in allowing us to publish his essay below on an alarming trend.

* * *

In their simplest form, many social networking sites are not much more than online diaries. Whether you're thinking of Bridget Jones or Adrian Mole, Alan Clark or Samuel Pepys, most of us realize that a diary is just someone's personal view, and not a reliable source of indisputable information. Most of us except for financial institutions, that is, or so it appears.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

David Harley, BA, CISSP, FBCS, CITP is director of Malware Intelligence at ESET and a distinguished and frequent contributor of intelligent commentary on new developments in information assurance. I am grateful to him for his kindness in allowing us to publish his essay below on an alarming trend.

* * *

In their simplest form, many social networking sites are not much more than online diaries. Whether you're thinking of Bridget Jones or Adrian Mole, Alan Clark or Samuel Pepys, most of us realize that a diary is just someone's personal view, and not a reliable source of indisputable information. Most of us except for financial institutions, that is, or so it appears.

In a recent blog post, security expert Roger Thompson related how an authentication check by his credit card company resulted in their asking him a question to verify his identity, using information publicly available – as opposed to, or in addition to, the use of the sort of information we share with such institutions as "secret questions", for instance. The required answer in this case concerned the age of Thompson's daughter-in-law, to whom they referred to by her maiden name. The only public resource that he could think of that would connect the two of them is Facebook, though other commentators have pointed out that genealogy sites are used in identity checks too.

For a while now, some security researchers have advised people to be economical with the truth when using chatrooms, forums and social-networking sites. Why would you give your true date of birth to a site that doesn't need to know it and that can't be trusted to keep it private? Is it a good idea to let all your Facebook friends know you're on holiday next week when you may not have met them all personally and can't be sure how much of your information is available to their friends? If you must use your dog's name as a password (you really shouldn't be using names for passwords), talking about Fido on Facebook gives a determined attacker a good start along the password guessing route. How much easier is it to harvest information about a target when their place of birth or current home town is public knowledge?

In the security industry, we talk a lot about the dangers of social networking and sharing information that may be valuable to burglars and scammers, or even spies (if you happen to be married to the head of MI some-number-or-other). But it isn't just about what you do, or information that you give away. Other people can give away information that impacts on you, like that current, dated photo of you next to Niagara Falls that your friend posts to his Facebook page, giving clear notice that you aren't at home right now.

This latest revelation about how information posted to Web sites is being used (or misused) suggests a potential scenario where false information might actually be seen as more valid than true information, simply because it's "publicly available" and your bank assumes that you – or someone within your social network – will never lie to a social networking site.