Skip to main content

Social media an inviting target for cybercriminals

  • Story Highlights
  • Experts worry we are giving away bits of personal information
  • Be careful when using third-party applications on sites
  • Facebook says it spot-checks for malicious applications
  • Security starts with decisions on whom to connect with, experts say
By Steve Almasy
Decrease font Decrease font
Enlarge font Enlarge font

(CNN) -- It's your birthday. And thanks to your Facebook profile, everybody knows that. Your wall fills up with well wishes from hundreds of "friends."

There are more than 350,000 applications on Facebook. The company says it disables any that violate its terms.

There are more than 350,000 applications on Facebook. The company says it disables any that violate its terms.

Sure, it's nice to be noticed. But security experts are skeptical about whether sharing information, such as birthdays, with a broad audience is a bright idea.

"It's all about providing the bad guy with intelligence," said Robert Siciliano, CEO of "Back in the day, spy organizations planted someone on the inside to get proprietary data. Social media is the man on the inside. We're giving away all the intelligence for free."

Many people use their birthdate in passwords and personal identification numbers, and security questions often ask for it to resend a lost password. So broadcasting a birthdate could help cybercriminals pose as others as they log on to various Web sites, experts warned.

The same goes for pet names and the names of children. If your mother is a Facebook friend, her maiden name (a popular security question) is within reach of an identity thief.

The bad guys' tactics

Malicious actors have different goals. Some are people who want Web surfers to click on links where they get paid to send people. Others hope computer users will enter passwords or Social Security numbers they can use to steal identities or money. And others would like to take over computers or Facebook identities.

One of the online attackers' favorite tricks is to send a post to a Facebook wall or Twitter account that looks like it came from a friend. The post contains a link, supposedly to a third-party application. If you take the bait, the scammers can collect your sign-on information and use malicious software to send that link to your friends.

"They are so viral," said Adam Ostrow, editor-in-chief at, a site that follows social media. "It becomes something that can affect thousands of people."

The hackers then try the same username and password for other sites to see whether they can break in to your accounts.

Once a user's account has been compromised, it creates opportunities for new scams. In one, a cybercriminal takes over a Facebook member's account and pretends to be stranded in another country. The scammer then asks the user's friends to wire money to them.

This scam has been happening with increasing frequency, wrote Facebook software engineer Alok Menghrajani Tuesday on one of the site's blogs. Facebook is working with Western Union to identify these schemes and has "improved a number of our automated systems to better handle this unique class of scam," he wrote.

Another popular ability of Facebook and Twitter, the status update of your current location, could also lead to trouble, Ostrow said. Mashable reported in June that one man in Arizona had tweeted he was going on vacation and came home to find his house burglarized.

Although authorities could not directly link the crime to the Twitter message, experts say it's clear that someone who tells his online community he is out of town has left himself exposed to criminals.

Who can see your quiz answers?

The American Civil Liberties Union is concerned about the amount of information visible by Facebook quiz makers and other third-party applications.

"They'll have access to all that information, so they can sell it; they can share it; they can do an awful lot with it," said Chris Calabrese, legislative counsel for privacy-related issues with the ACLU.

He said it is not clear that Facebook can do much about it, but the social media site disputed that assertion.

"We require that applications only ask for the data they need to run the application," Facebook spokesman Simon Axten wrote in an e-mail interview with "We enforce this policy through spot checks and have disabled apps that we've found to be in violation. No app can access the most sensitive information like contact info."

There are more than 350,000 applications active on Facebook, and more than 70 percent of its members use one each month, according to the site.

In August, Facebook announced it would make changes to the site, including "technical changes designed to give people more transparency and control over the information they provide to third-party applications."

"That doesn't get to the heart of the question," Calabrese said, "which is, do you want and should your friends have the ability to share your personal information with third parties?"

His organization hopes to meet with Facebook officials, he said.

Protecting your privacy

Mashable's Ostrow recommended using the "lists" feature on Facebook and having different privacy settings for each group. For family or close friends, it would be OK to show an address and phone numbers. But consider restricting information access for acquaintances.

Ostrow also said Facebook users should carefully consider friend requests in the first place, a sentiment echoed by Michael Kaiser, the executive director of the National Cyber Security Alliance.

"People don't think about what their goal is in using social media before they start," Kaiser said. If you want to use it on a personal level, limit the number of people in your network to close friends and family whom you trust.

But, he said, if used as a professional tool with a wide network, reveal less about yourself.

Information on LinkedIn, a professional networking site, is intended for public viewing.

Still, "we really encourage users to connect to users they know and trust," said Kay Luo, a spokeswoman for the company. "LinkedIn should be the version of yourself that you feel comfortable sharing."

People often post on the site where they have worked and when, business groups they belong to and when they went to college.

"The real issue that comes to mind is listing past contacts and affiliations that someone could use to dig up data to be used in whatever ways imaginable," Siciliano said.

All About Facebook Inc.Twitter Inc.American Civil Liberties UnionIdentity Theft

  • E-mail
  • Save
  • Print
Today's Featured Product:
2011 BMW Z4 sDrive35is
 8.0 out of 10
Recent Product Reviews:
RIM BlackBerry Torch 9800 (AT&T)
 8.0 out of 10
Motorola Rambler - black (Boost Mobile)
 7.0 out of 10
Samsung UN46C6500
 6.9 out of 10