facebook white paper2011

Social networking users expose passwords online A CPP white paper

November 2011

Social networking users expose passwords online

November 2011

Contents

1.1 Foreword

1.2 Background News

1.3 Research methodology

1.4 Key Findings

- One third (32%) of Facebook profiles contain at least two pieces of personal information - Only one per cent of Facebook users had no data points on their

public profiles

- The majority of people do not trust all of their Facebook ‘friends’ - 18-24 year olds have, on average, more than 250 friends, but 81% say they do not trust all their Facebook friends - Women and those aged 65 and over are the most trusting of their

Facebook friends

- People are prepared to accept friend requests from a total stranger - 9% said they would accept an invitation from a stranger if they were

good looking or popular

- Six per cent of users allow anyone and everyone to see their entire profile - 15% allow everyone to see their date of birth which is a very common form of account verification - One in four people are logged into their Facebook account most or all the time - Only 14% said they had antivirus or security settings on their

smartphones

1.5 Sample attacks

1.6 Conclusion

1.7 Safeguarding your identity

1.8 Further Information

1.9 About CPP


November 2011

Introduction

1.1 Foreword

During September 2011 Jason Hart, CEO of CRYPTOCard Europe, was commissioned by CPP to perform a review of 250 public Facebook profiles. The scope of the assessment was to highlight any information that could relate to an individual’s password and/or sensitive information and allow a potential targeted attack against the individual by means of social engineering.

Passwords are based on the psychology behind what people choose as their passwords. People choose easy patterns on the keyboard, like ‘123456’ or ‘qazwsx’. In addition people choose their children’s names, birth dates and favourite sports teams.

By understanding a person and looking at their Facebook account it is very easy to use their social network profile to potentially guess their password. However the password may have a small twist. Knowing that ‘ronnie’ is popular password for football fans, there may be different variants like ‘r0nnie’ or ‘ronnie1234’.

During a period of four days, 250 public Facebook profiles were reviewed in order to see if any of the following information was present within the Facebook profile:

- Interests - First school

- Hobby - Pets name

- Favourite football team - Dates of birth

- Favourite football player - The user’s name

- Childrens names - Maiden name

The risk of having the above information publicly present within Facebook leaves the user at risk of being targeted by way of an attacker using the information to guess the user’s Facebook password or any other passwords that the user has in place for personal or business use.

The two largest forms of risk are based around:

- Password attacking by way of guessing (or ‘brute force’ attack), based on information uncovered within the public Facebook profile

- Targeted social engineering attacks

Social engineering is similar to hacking in that it is used to gain unauthorised access to systems or information to commit fraud, network intrusion and industrial espionage, identify theft or a simple disruption. However, social engineering is generally much easier than technical intrusion (hacking), as it does not require the technical know-how or background to be completed successfully. Rather, it simply involves using personal information. It is extremely difficult to prepare statistical evidence on the impact of such attacks on individuals because in most cases it will not be known when a social engineer has stolen information as the majority of attacks go unnoticed and unreported.

2


November 2011

1.2 Background News

- Personal details of 10,000 people were stolen from their Facebook accounts and leaked online according to a hacking group, which claimed responsibility for the attack. The group, called Team Swastika, briefly posted the file which it said contained the user names and passwords of Facebook users.1

- Recently, a new software tool emerged which automates social engineering on Facebook. Unlike hacking software, this tool doesn’t demonstrate any new theoretical security vulnerability. However, the automation of the social engineering process may have significant practical security implications as it can be launched by every script kiddie.2

- The number of people falling victim to identity fraud is rising, with employees and members of the public not doing enough to protect themselves, experts have warned. A total of 80,000 cases were reported across the UK last year, with victims losing £1,190 on average.3

- Phone hacking fears dominate consumers’ security concerns about new ‘mobile wallet’ payment systems and are likely to hamper UK adoption of new ‘swipe and pay’ smartphone systems.4

- Mobile malware increased 273% in the first half of this year, with cross-platform Trojans dominating the landscape.5

- 40% of mobiles lost or stolen in the last two years were not password protected.6

- According to internet service provider, Talk Talk, more than eight million homes in the UK were targeted by cyber criminals in the first quarter of 2011, with problems ranging from bombardments by unwanted pop-ups adverts to full-scale attacks. The Office for National Statistics said that 77% of homes have internet access, but more than a fifth of users do not believe they possess the skills needed to protect their personal data.7

3

1The Independent, ‘Hackers claim Facebook attack’, 19 October 20112Contingency Today, ‘automated Facebook identity threat’, 20 September 20113The Scotsman, ‘Victims of ID fraud losing £1,190- and it’s on the rise’, 20 October 20114PRNewswire, ‘Intersperience research reveals mobile payment security concerns’, 14 October 2011-10-215SC Magazine UK, ‘Mobile malware rockets this year’, 12 September 20116Walletpop, ‘Would you lose everything if you lost your mobile phone?’, 13 September 20117Managed Hosting News, ‘Cyber criminals targeted 8.5m UK homes in Q1’, 21 September 2011

The personal details of

10,000 people were stolen from their Facebook

accounts and leaked online


November 2011

4

How much data was given by each profile?

1.3 Research Methodology

ICM interviewed a random sample of 2,030 adults aged 18+ online between 9-11 September 2011. Surveys were conducted across the country and the results have been weighted to the profile of all adults. ICM is a member of the British Polling Council and abides by its rules. Further information at www.icmresearch.co.uk

During September 2011, Jason Hart was commissioned by CPP to perform a review of 250 public Facebook profiles, to identify any information that could relate to an individual’s password and/or sensitive information that could allow a potential targeted attack against the individual. At no point during the research was any user’s data or online webmail accounts compromised.

1.4 Key Findings

One third (32%) of Facebook profiles contains at least two pieces of personal information

The audit of Facebook profiles showed that one third of Facebook profiles contain at least two pieces of personal information such as their mother’s maiden name, date of birth, hobbies or children’s names.

27% of the profiles contained three pieces of personal information and five per cent had more than six pieces of personal information. Only 1% of Facebook users had no data points on their public profiles.

Because this information is often used as a password or as an answer to a security question when users look to reset their online account log-in details, we can conclude that people are freely adding and publicly showing sensitive information on their Facebook profiles that can be used against them to either guess or socially engineer their passwords.

1 piece2 pieces3 pieces4 pieces5 pieces> 6 piecesNo data

12%

27%

16%

32%

7%

5% 1%

Source: Jason Hart based on 250 random Public Facebook profiles, September 20111


November 2011

5

The majority of people do not trust all of their Facebook ‘friends’

Only 36% of Facebook users profiled trust all of their friends. As the most active social media users, those aged 18 to 24 are the most likely to publicise their personal information – and often to complete strangers.

This age group has on average more than 250 friends but 81% say they do not trust all of their Facebook friends.

Unsurprisingly the number of Facebook friends decrease with age: 18 to 24 year olds (261 friends), 25 to 34 year olds (196 friends), 35 to 44 year olds (120 friends), 45 to 54 year olds (93 friends), 55 to 64 year olds (65 friends), 65 and over (47 friends).

Women and those aged 65 and over are most trusting of their Facebook friends.

When we asked over 2,000 people if they had ever been a victim of identity fraud that originated from someone accessing details from any of their social media accounts (Facebook, Twitter and LinkedIn) 6% said they had, with 10% of 25-34 year olds claiming to have been a victim of identity fraud via their details having being taken from their profiles. Given identity fraud is a growing crime; this statistic is high and points to an area of vulnerability.

0

10

20

30

40

50

60

70

80

First SchoolInterestsEmployerHobbiesFavourite playerDates of interest

70

60

50

40

30

20

10

0

Childrens namesFootball teamEmailMaiden namePet’s name

People revealing data on public Facebook profiles.

Source: Jason Hart based on 250 random Public Facebook profiles, September 20111

Indi

vidu

al p

iece

s of

dat

a


November 2011

6

Q: To your knowledge have you ever been a victim of identity fraud that originated from someone accessing details from any of your social media accounts (Facebook, Twitter and LinkedIn)

The data below shows the percentage of people who trust all their Facebook friends

0

10

20

30

40

50

60

MaleFemale

33%

38%

All respondents with an account with Facebook

19%

23%

39%

44%46%

57%

45-5455-6465+

18-2425-3435-44

0

20

40

60

80

100

MaleFemale

Yes No

6%


7% 7%10% 8%

4% 3% 3%

89% 89% 89%85%

88%91% 91% 93%

35-4445-54

18-2425-34

55-6465+

Only 36% of Facebook

users trust all their friends


November 2011

7

Six per cent of users allow anyone and everyone to see their entire profile

Over half (52%) of the social networkers questioned had received friendship requests from strangers. And despite media publicity around Facebook privacy and security, as well as identity fraud which shows no sign of abating, 6% allow anyone and everyone to see their entire profile.

15% of people allow everyone to access their date of birth which is a very common security question both for online accounts and for contact centre account verification.

Q: Have you ever accepted a friend request on Facebook from a stranger i.e. someone you don’t know and have never met in real life?

People are prepared to accept friend requests from a total stranger

One third (33%) of people admit to accepting an invitation from people they have never met before with those aged 18-24 most likely to accept a friend request from a total stranger (50%).

Men were more likely (37%) to accept friend requests from total strangers than women (29%) although both are surprisingly high.

When we asked ‘why’, a small, but significant minority (9%), said they would accept an invitation from a stranger, if they were good looking or popular. Some Facebook users would also accept invitations simply so they can boost the number of friends they have on their profiles.

15% of Facebook users have not seen or spoken to many of their friends in over ten years.

0

20

40

60

80

100

37%


29%

50%

38%

63%

70%

49%

61%67%

73%76%

84%

32%27%

24%

16%

MaleFemale

35-4445-54

18-2425-34

55-6465+

Yes No


November 2011

8More concerning, however, is that ‘friend’ status means a lot more information is accessible. And with many users accepting friend requests from people they do not know and two-thirds of people not trusting all their Facebook friends, many users are potentially putting their identities at risk.

This is surprising given the fact that 49% of people are aware that it is possible to use personal information accessible on Facebook or other social networking sites in order to commit identity fraud. Indeed 55% of 18-24 year olds understand this, yet they are the most likely to have the most friends and least likely to trust them all.

Separately, one in four people are logged onto the site all or most of the time. Given an increasing number of people access Facebook from their smartphones, we have a developing situation where they are leaving themselves open to impersonation should their handsets be lost or stolen.

When questioned further on their handset security, only 14% said they had antivirus or security settings on their smartphones.

Q: Who can access the following on your Facebook profile?

Half of people are

aware personal

information on social

networking sites can be

used to commit

identity fraud0

10

20

30

40

50

60

70

80

Your status, photos and posts

Bio and favourite quotations

Family and relationships

Photos and videos you’re tagged in

Religious and political views

80

60

50

70

40

30

20

10

0

72%

8%11%

20%

11%

60%

13%11%

8%

68%

13%13%

54%

27%

62%

17%

12%

0

10

20

30

40

50

60

70

80

Birthday Permission to comment on your posts

Places you check into Contact information

Everyone Friends of friends Friends No one

15%

7%

67%

12% 12%

8%

71%

9% 9%6%

54%

31%

8%5%

60%

25%

7% 7% 6%

80

60

50

70

40

30

20

10

0


November 2011

Examples of how personal details visible on Facebook can be used by hackers:

Information type Potential Impact Rsk Factor

First School First school is often used as a security question on web-based applications and social networks

High - if used as the answer to web-based security questions

Employer An attacker can use this information to conduct a social engineering attack to target the user’s employer

Medium to high - risk to the user and employer

Dates of Interest People that publicly display their date of birth are open to different forms of identity fraud

High – as DOB is used by most banks as one form of identification

Email Address This allows the user to become a potential target to password reset attacks and is a potential way to start spear phishing attacks

Medium to high – based on if the user is using a web based email address

Maiden Name People that publicly display their maiden name also leave family members open to different forms of identity threat

High – maiden name is used by most banks as one form of identification

9


November 2011

101.5 Sample Attacks

The review concludes that people are freely adding sensitive information to their Facebook profiles without understanding the possible implications of the data being publicly available. There are several methods to attempt to determine a user’s password, based on information posted on the user’s social network profile.

- Looking for answers to password reset questions. Users of social networks sometimes inadvertently reveal information that could be used to reset passwords either on the social network itself or on popular webmail services such as Google, Hotmail and Yahoo! Mail. For example, on a user’s Facebook profile you are likely to find information like mother’s maiden name, place of birth, the colour of their first car and so on. These questions are similar, if not identical, to many password reset functions of popular webmail or even online banking services. If an attacker can gain access to the user’s webmail account using this method, all it takes is using the password reset functionality on the social network to send a new password (or reset link) to the e-mail account, which becomes under the attacker’s control.

- Guessing the password. It may seem very trivial to think about, but based on the public information you find on a user’s Facebook profile, you can guess the password. For example, try their favourite foods and drinks, family names, as well as hobbies and sports teams.

- Creating a word list. There are a number of tools that are available on the web that can collect keywords from a web page (Facebook profile) and put them into a wordlist. Once the list has been created the list can be used to conduct a ‘brute force’ password attack using the wordlist. The accuracy of the attack is largely dependent on how well the web application being targeted employs any brute force prevention mechanisms.

In order to show an example of an attack we have taken one of the profiles uncovered during the audit and have seen if it would be possible for an attacker to undertake a password reset attack on this user’s webmail account.

The attack is based on a five step process:

- Uncovering webmail address on Facebook

- Accessing the password reset webpage for the target webmail account

- Forcing the webmail service to reveal the secret question

- Reviewing the Facebook profile to find the answer to the secret question

- Resetting the Webmail password

In order to show the process in action, please refer to the screen shots below. At no point during the Facebook audit or writing this report was any user’s data or webmail accounts compromised.

People are freely adding

sensitive information to

their Facebook profiles without

understanding the serious implications of doing so


November 2011

11Step 1

A review of the Facebook audit showed that 9% of the profiles were publicly showing the user’s webmail email address:

Step 2

Once an attacker has the e-mail address they are able to go to the webmail service based on the email address and click on the ‘Forgot your password?’ button. In this case we are using Hotmail as the example, but all webmail systems work in the same way:

Step 3

The attacker is then requested to enter the email address of account is looking to reset:


November 2011

12Step 4

Reviewing of the Facebook profile reveals the name of the favourite football team

Step 5

The attacker is able to reset the password and gain full control and access to the users e-mail account.

1.6 Conclusion

The review has recognised that people are putting themselves at great risk by not knowing the potential threats of having their passwords guessed or hacked. Social networks are designed to allow sharing of personal information with others. Without this sharing, social networks would cease to exist. However, protecting and controlling access to personal information does not seem to be a consideration for many users.

The more information people share with the world the more valuable and vulnerable they are to hackers. People need to understand that their privacy and risk of being a target is mostly dependent on what they are posting on Facebook and other social networking sites, as well as how privacy settings are configured for each social network site they are a member of.


November 2011

131.7 Safeguarding your identity

Danny Harrison is Head of Data and Identity Protection at CPP and offers the following advice to consumers to help protect them from data loss. Danny has over ten years’ experience and is responsible for CPP’s mobile phone assistance and insurance products that insure against lost, stolen and damaged handsets, and also assists people in the event of lost data.

Danny is media trained across print and broadcast and is available for media interviews on the issue of data security and identity fraud.

Users have to start considering ways of mitigating risks by ensuring that they use some basic guidelines around password creation and management. With social networks, personal responsibility of information and data is key. The following recommendations will help prevent password guessing and ‘brute force’ attacks against users.

Having a unique password for every website: Suppose your Facebook account or webmail gets hacked and you have the same password for every website. This means that you have effectively compromised all the accounts that use that same password. Always create a unique password for each website you use.

Personal Information: Ensure that you are not posting any personal information on Facebook that can be used against you, for example date of birth, mother’s maiden name, email address etc.

Enforce Two factor authentications: A number of web based applications and social networking sites now provide users with the ability remove the need for static passwords and allow them to enable two factor authentication, thus totally removing the risks of the user’s password being compromised.

Privacy settings on your social network profiles: Review the privacy settings on your social networks to ensure they meet your expectations. Social networks generally have default settings that allow everyone to view your information.

For further information please contact:

Nick Jones

Head of Public Relations CPPGroup Plc Holgate Park York YO26 4GA

www.cppgroup.plc

Tel: 01904 544 387

E-Mail: [email protected]

Review your privacy settings - social

networks generally have

default settings that

allow everyone to view your

information


November 2011

CPP is an award- winning organisation:

- Top 50 Call Centres for Customer Service, 2009, 2010 and 2011

- Finalist in the Plc Awards, New Company of the Year, 2011

- Winner in the European Contact Centre Awards, Large Team of the Year category, 2010

- Finalist in the European Contact Centre Awards, Best Centre for Customer Service, Large Contact Centre of the Year categories, 2010

- Finalist in the National Sales Awards, Contact Centre Sales Team of the Year category, 2010

- Finalist in the National Insurance Fraud Awards, Counter Fraud Initiative of the Year category, 2009

- Finalist in the European Contact Centre Awards, Large Team and Advisor of the Year categories, 2009

- Named in the Sunday Times 2008 Pricewaterhouse Coopers Profit Track 100

- Finalists in the National Business Awards, 3i Growth Strategy category, 2008

- Finalist in the National Business Awards, Business of the Year category, 2007, 2009 and Highly Commended in 2008

- Named in the Sunday Times 2006, 2007, 2008 and 2009 HSBC Top Track 250 companies

- Regional winner of the National Training Awards, 2007

- Winner of the BITC Health, Work and Well-Being Award, 2007

- Highly Commended in the UK National Customer Service Awards, 2006

- Winner of the Tamworth Community Involvement Award, 2006. Finalist in 2008

- Highly Commended in The Press Best Link Between Business and Education, 2005 and 2006. Winner in 2007

1.8 About CPP

Corporate Background Information

The CPPGroup Plc (CPP) is an international marketing services business offering bespoke customer management solutions to multi-sector business partners designed to enhance their customer revenue, engagement and loyalty, whilst at the same time reducing cost to deliver improved profitability.

This is underpinned by the delivery of a portfolio of complementary Life Assistance products, designed to help our mutual customers cope with the anxieties associated with the challenges and opportunities of everyday life.

Whether our customers have lost their wallets, been a victim of identity fraud or looking for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to enjoy life. Globally, our Life Assistance products and services are designed to simplify the complexities of everyday living whether these affect personal finances, home, travel, personal data or future plans. When it really matters, Life Assistance enables people to live life and worry less.

Established in 1980, CPP has 11 million customers and more than 200 business partners across Europe, North America and Asia and employs 2,300 employees who handle millions of sales and service conversations each year.

In 2010, Group revenue was £325.8 million, an increase of more than 12 per cent over the previous year.

In March 2010, CPP debuted on the London Stock Exchange (LSE).

What We Do:

CPP provides a range of assistance products and services that allow our business partners to forge closer relationships with their customers.

We have a solution for many eventualities, including:

- Insuring our customers’ mobile phones against loss, theft and damage

- Protecting the payment cards in our customers’ wallets and purses, should these be lost or stolen

- Providing assistance and protection if a customer’s keys are lost or stolen

- Providing advice, insurance and assistance to protect customers against the insidious crime of identity fraud

- Assisting customers with their travel needs be it an emergency (for example lost passport), or basic translation service

- Monitoring the credit status of our customers

- Provision of packaged services to business partners’ customers

For more information on CPP please visit www.cppgroupplc.com

14

facebook white paper2011

Technology