erica's joys :)
Thursday, April 20, 2006
Social Networking or Social Engineering?
Do these questions look familiar:
What was the name of your high school?
What was your high school mascot?
What is your favorite color?
Where were you born?
Whats your favorite sports team?
If you have a MySpace profile, a Xanga account, even an e-mail address in some cases, you probably recognize these as questions from surveys you may have received. Now how a look at this:
Those are the security question options from a major financial website. The similarity of the questions to common survey questions is alarming to me. If its not already happening, I'm sure its only a matter of time before some unsavory phisher and/or scam artist hops on MySpace (or any other social network), creates an account, and begins collecting friends and sending out surveys. In a matter of hours, the scammer would have information good enough for authentication about many of the "friends".
It seems as though social networking can easily cross the line into social engineering. Sure people know not to share their passwords and social security numbers but what about the other identifying information? How much information is too much information? The line between social networking and social engineering seems to be really fine and really fuzzy. Here's hoping some education for companies (because the example given above is really piss poor) and individuals will help to make this line a little more broad and definitely more clear.
What was the name of your high school?
What was your high school mascot?
What is your favorite color?
Where were you born?
Whats your favorite sports team?
If you have a MySpace profile, a Xanga account, even an e-mail address in some cases, you probably recognize these as questions from surveys you may have received. Now how a look at this:
Those are the security question options from a major financial website. The similarity of the questions to common survey questions is alarming to me. If its not already happening, I'm sure its only a matter of time before some unsavory phisher and/or scam artist hops on MySpace (or any other social network), creates an account, and begins collecting friends and sending out surveys. In a matter of hours, the scammer would have information good enough for authentication about many of the "friends".
It seems as though social networking can easily cross the line into social engineering. Sure people know not to share their passwords and social security numbers but what about the other identifying information? How much information is too much information? The line between social networking and social engineering seems to be really fine and really fuzzy. Here's hoping some education for companies (because the example given above is really piss poor) and individuals will help to make this line a little more broad and definitely more clear.
Comments:
<< Home
where ARE you anyway? You used to be the IM queen. Now you're hardly ever logged on. Do you have a REAL job? Is that what this is all about?
...misterboston
...misterboston
I couldn't agree with you more, Erica. Especially in light of all the recent losses of personal data by so many different companies. As far as I see it, the less I have to reveal about my personal life, the better. Not because I am so secretive but because the more someone knows about you the more chance they have of being able to pretend to be you.
Post a Comment
<< Home
Archives
July 2005 August 2005 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007
Subscribe to Posts [Atom]