Protecting Your Online Identity
As an infosec consultant, I see technology used in unintended, malicious, and downright mean ways every day. Despite all the movie scenes of green binary numbers swirling around the heads of evil computer geniuses as they ‘hack the mainframe’, a lot of damage can be done with very little technical knowledge. Accessibility, extensibility, and many of the features that make online content popular and useful can be, by their very nature, security vulnerabilities that can be exploited without altering the applications at all. A little creativity goes a long way.
In the social networking arena especially, the pervasiveness of user-generated content combined with the very personal aspects of social interactions can create a mine field of hidden risks to an innocent, every day person’s reputation, relationships, career prospects, and sometimes life. Most of the readers here are familiar with risk mitigating tactics like those suggested by the FTC. There’s another less known and growing risk to social media users: online identity hijacking.
Since signing up for a social networking site generally doesn’t require authentication, hijacking someone’s online identity is as easy as typing in a name and a few pieces of information easily found on the Web. At one of last year’s Agoras hosted by the University of Washington CIAC, one of the speakers described his own identity hijacking experiment. A security expert volunteered to allow the researcher to hijack his identity. Using only what he could find online, the researcher created and maintained an account for the expert. It even fooled the expert’s own sister!
Last year, the Aladdin AIRC predicted that 2009 would see a surge in threats against social media, especially identity hijacking. While there’s no way to completely remove the risk, there are some steps to make things for difficult for the hijackers. Identity theft expert Robert Siciliano shares some great ideas on his blog at http://realtysecurity.com.