Facebook, fraud and the continuing security problems of social media
December 19, 2013

No one likes to fill out forms, which is why many websites are offering social sign-on options that rely on credentials from sites such as Facebook or Twitter. By reducing the amount of friction needed for users to apply for an account, organizations can benefit from better member information and participation. In the digital ecosystem, convenience is just as important in the physical world, as many businesses and institutions have come to understand. 

Yet there are limits to social sign-on authentication methods. The system may work for news providers and other low-risk websites, but it's not a viable solution for more sensitive matters, such as e-commerce or online government services. 

In general, social media creates a substantial window for hackers and fraudsters to exploit. Personal information can be stolen to break into otherwise more secure accounts. Even if sensitive details are locked away from anyone but friends, this may not be enough for people to protect their identities. After all, a stranger might take on the identity of a friend, as recently happened to the staff of a Baltimore-based television station, according to Ars Technica. 

Dealing with an imposter
Chris Dachille, an executive sports producer at WBAL, received a friend request from someone he seemingly knew, the news source reported. The individual used a familiar name, picture and enough relevant details to trick Dachille into believing the fraudster's legitimacy. This left his social media data available to a stranger, and soon enough, a Dachille impersonator was online, sending friend requests to the producer's known associates. 

While some of Dachille's colleagues and family may have questioned why they were receiving a friend request from him, most did not and none of them mentioned the incident to him, at least right away. Dachille only heard about the problem after the impersonator began asking for money and spamming the news feeds of his associates. 

When that happened, it should have been a simple matter to shut down the false account, but according to Ars Technica, Facebook initially did nothing despite receiving an abuse report. The social network only acted after the Maryland Attorney General's office contacted it. Although Facebook possesses tools to help validate user identities, many details in the cloned account appeared legitimate, having been copied directly from Dachille's actual profile. 

Leaks only require one hole
The matter was eventually resolved and, because none of Dachille's friends clicked on the spam-links, no malware breached WBAL's network. However, this incident illustrated some of the security problems that social media represents. Even users concerned with privacy issues may unwittingly friend someone who is not who he or she appears to be. Additionally, even if fraudsters can't fool everyone, if they can trick enough people into providing information or accepting a friend request, then they can access a considerable amount of data and use that knowledge to repeat the task. 

Ars Technica noted that part of WBAL's problem was that employees were using Facebook for work purposes, yet separating these two worlds can be almost impossible due to the nature of friendship and the expanding role that social media plays in the business world. 

Due to the issues with social media, organizations should carefully consider their reliance on it for security purposes as much as possible. This means avoiding social sign-on methods, but also using personal information for identity authentication answers. Sites such as Facebook are porous by necessity, so the more distance that exists between business and these networks, the better.