Facebook is by far one of the top social networking sites on the Internet, with millions of users, but how secure is it? Or rather how security conscious are the people who use it?
These questions are constantly brought up about the site, and with the rise of malicious web activity people have become more concerned with their security. The problem is that most of them don’t think twice about how many people can see their information posted on Facebook, so I decided to see how security conscious people were on there. What’s the best way to do this? Well I created a totally fake profile, no information was real at all, and then I could see how many people actually check who they are friending and how much information people could retrieve by making a fake identity.
Note: As creating a fake identity is against Facebook’s TOS, it is very possible that the account will have been deleted by the time this article is read, but that doesn’t matter, all that’s important is that this has been done showing what can happen.
Making The Fake Account
Creating a new Facebook account is as simple as 1-2-3. Fill in your name, e-mail, password, and DOB. After this you will get an e-mail with the account info, and you can sign into your new account. Next fill in some information about yourself on the blank Facebook page, add a profile picture, and start adding friends. For future reference my Facebook page is “Dolus Carson” but Facebook won’t allow you to see the page unless you friend me so just trust me on the information. Just for the record I’ve never known anyone named Dolus Carson, I simply took my blog pseudonym and added a good last name to it.
What I Did To Start
First of all no Facebook account is even slightly reputable without a profile picture, so what picture did I put up? Marcus Vick of course, generic but at least everyone knows who he is and people put up pictures of sports stars all the time, nothing suspicious there. Next I joined a school network, which is integral for finding friends later. I chose a random school and ended up joining the “Langley High” network which is supposedly a school near Washington D.C. Here are two screenshots of my profile:
Here’s the second half:
Adding Friends
Now that the profile had been created it was time to get some friends. Facebook actually provides a tool that makes finding friends as easy as going to your “Home” screen and going to the “People You May Know” tool.
Notice how the both the people at the bottom went to Langley High? Well since I had joined the network earlier everyone in this box also went to Langley. This makes adding friends a cinch since all they have to see if that you go to their school and then they accept you as a friend. The first friend was hard since Facebook shows how many friends you have in mutual, at first this was 0 but within 30 minutes I already had 10 friends. Obviously someone just went onto their Facebook and saw a friend request from someone that goes to Langley High, so they friended me back. Now making friends after this is easy since Facebook will show that there are 10 or 20 mutual friends between me and the person I’m friending. So now I just went to the “People You May Know Box” and clicked away for 20 minutes or so. The next day I went on and had 30 friends or so. Guess how fast people friended me, well within 4 days I already had over 100 Facebook friends. From this point the possibilities of friends are limitless since I have so many friends that most people just assume that they’ve never seen me, but I must know them somehow so they friend me. Plus who turns down Facebook friends? Having more just means that you’re more “popular.”
The Sad Truth
Not only did I make an effort to friend people, but many people also made the effort to friend me. I’ve had at least 8 friend requests from people that I never knew, and they have certainly never known the fictitious “Dolus Carson.” I also had 3 birthday wishes from people that never knew me, and one person commented on a poem that I posted (just for fun). It wasn’t until a bit later that a few people wrote on my wall asking who I was, which surprised me since I thought these posts would have happened earlier. I also received one or two private messages asking who I was. Here are the wall posts:
Timeline
The profile was made at 2:35 PM on Saturday, November 22nd, and the 100 friend mark was reached on Wednesday, November 26.
The Point
Well you’ve seen for yourself how easy it can be to create a fake identity, and possibly even use it for malicious purposes. All the information people put on Facebook is visible to almost anyone, especially their friends. This means that I could retrieve phone numbers, e-mails, and even addresses from the 139 friends I have if they have posted that information? Scary? Yes I think so.
Basically you just have to be aware of your own security online. Do not post information that other people shouldn’t have and always second guess yourself when wondering whether you should do something that could compromise your online safety. And as pointed out from above, check who you friend on Facebook.
Thats nothing new, its always been like that with both FaceBook and MySpace.
jess
http://www.privacy-tools.at.tc
JImMcDosh,
Yes I am aware that this has been done many times before, but this is the first time that I’ve seen it documented.
It’s always interesting to see how much people actually pay attention to who they friend, request, whatever.
Cheers,
Dolus
This has nothing to do with the security of facebook or computer security whatsoever, it’s typically referred to as social engineering which is simply exploiting and manipulating the a naive trust many people have in a stranger they simply want to be nice to. You don’t have to be paranoid to avoid situations such as these, just use common sense and base trust on something substantial. Also, take faith that you can trust the editors of the following wikipedia article on the subject: http://en.wikipedia.org/wiki/Social_engineering_(security)
philipashlock,
Yes, you are exactly right about how it is not Facebook’s issue but rather the people that use it. Thanks for the article.
Cheers,
Dolus
“I chose a random school”
Firstly, this suggests the school is random in nature, which it is not - there are several deterministic reasons for its presence. I’m assuming you meant “I chose a school at random”, which leads me to my second point:
How? Did you select all the schools, give each one a number, then use some random input such as radioactive decay (I’d even settle for the use of a pseudorandom number generating algorithm) to determine which one you should use? I’m guessing you didn’t. You are preconditioned to prefer some things over others. You prefer certain letters, colours, areas over others and as such you are not giving each of the schools in your selection an equal probability of being selected, so according to the definition of ‘random’, you did not (and cannot) choose a school at random.
The sentence you should have used is “I chose a school arbitrarily”.
If you don’t know how to use a word correctly, just don’t use it - there’s no shame (in fact using a clever word incorrectly gives people the opposite impression!) Before you say it, I know a lot of other people are using this word incorrectly too, but that doesn’t make it right.
If you find that you also use the word ‘literally’ quite often, you might want to look into the definition of this word and ensure you’re not, in fact, communicating the OPPOSITE meaning to which you intended.
-James
You can’t add real friends.
nice! good work.
Very interesting experiment.
I’ve recently developed a Facebook application that would ad an interesting wrinkle to your test. It is called Friend Grade and it basically grades your friends based on how well they know you.
You may want to take a (5 question) test and forward to a few of your supposed ‘friends’…see how well they actually know you.
Here is a link to the app:
http://apps.new.facebook.com/friends_survey/index.php
Joe