Facebook may not be used by us all but it is certainly known to almost everyone. Many people tell me proudly how they never use it, others how they have thousands of friends. Like going to the pub or chess club, Facebook is to each what they need it to be.
Leaving aside the social abilities of Facebook there is another quite interesting property of the service. This property is perhaps counter intuitive and certainly is something that has also been highlighted as a problem with on line services. The property I am talking about is identity.
Now if you are an ICT security professional you probably just through something at the screen, or more likely clicked the back button. Those of you that did not, bear with me while I explain why Facebook has properties that could identify you uniquely as an individual on line.
Okay so now assume that I create an account online for a shopping site. They ask me my name, date of birth and something secret usually my mothers maiden name (like that was not on public record!!). That’s it off you go, almost anyone can pretend to be me creating an account and doing whatever they wish.
Now take a look at my Facebook account. In there is a lot of information about me, even though I am careful not to expose too much. There are photo’s of me, there is a network of friends all of whom know me as I am choosy about who I have as a friend. There is information about my hobbies and there are lots of examples of the way I think and my humour. Pretending to be me on this account is much more difficult, indeed a number of times I have spotted times when this has happened to friends via a “frape”. Of course a “frape” is normally perpetrated to embarrass the victim so is quite obvious.
The other advantage to Facebook is that as a web destination it becomes something that people regularly use and check. I can guarantee that a Facebook user will check the site regularly yet I doubt many of them check their online bank account for abuse every day. This means that if something changes or some information gets posted that they did not do themselves they will most likely notice quickly. A “frape” does not go unnoticed for very long.
Finally consider what would happen if my Facebook account became the basis of my identity and was used to access other services. My authenticity is reflected by all those facts about me and assuming any such use was reflected in my newsfeed my vigilance is assured. Even without the authentication a feed of events, say accesses to your bank account, into Facebook as a private newsfeed would provide many users with information they do not otherwise see and potentially make them safer.
There are two further things to consider:
Facebook was not designed to be used in this way and may well have other problems that could lead to compromise. I am noting here the conceptual benefits of a social network in uniquely identifying you and maintaining your vigilance not suggesting just jumping in and using Facebook instead of Active Directory for authentication.
Although with work it would still would be possible to masquerade as me it is not as easy and would require work and research by the perpetrator. It is of course easier to become me if I don’t already have a Facebook account, a villain could create one for me and assume my role. Something for all of those that gleefully tell me they never use Facebook to think about.
Leaving aside the social abilities of Facebook there is another quite interesting property of the service. This property is perhaps counter intuitive and certainly is something that has also been highlighted as a problem with on line services. The property I am talking about is identity.
Now if you are an ICT security professional you probably just through something at the screen, or more likely clicked the back button. Those of you that did not, bear with me while I explain why Facebook has properties that could identify you uniquely as an individual on line.
Okay so now assume that I create an account online for a shopping site. They ask me my name, date of birth and something secret usually my mothers maiden name (like that was not on public record!!). That’s it off you go, almost anyone can pretend to be me creating an account and doing whatever they wish.
Now take a look at my Facebook account. In there is a lot of information about me, even though I am careful not to expose too much. There are photo’s of me, there is a network of friends all of whom know me as I am choosy about who I have as a friend. There is information about my hobbies and there are lots of examples of the way I think and my humour. Pretending to be me on this account is much more difficult, indeed a number of times I have spotted times when this has happened to friends via a “frape”. Of course a “frape” is normally perpetrated to embarrass the victim so is quite obvious.
The other advantage to Facebook is that as a web destination it becomes something that people regularly use and check. I can guarantee that a Facebook user will check the site regularly yet I doubt many of them check their online bank account for abuse every day. This means that if something changes or some information gets posted that they did not do themselves they will most likely notice quickly. A “frape” does not go unnoticed for very long.
Finally consider what would happen if my Facebook account became the basis of my identity and was used to access other services. My authenticity is reflected by all those facts about me and assuming any such use was reflected in my newsfeed my vigilance is assured. Even without the authentication a feed of events, say accesses to your bank account, into Facebook as a private newsfeed would provide many users with information they do not otherwise see and potentially make them safer.
There are two further things to consider:
Facebook was not designed to be used in this way and may well have other problems that could lead to compromise. I am noting here the conceptual benefits of a social network in uniquely identifying you and maintaining your vigilance not suggesting just jumping in and using Facebook instead of Active Directory for authentication.
Although with work it would still would be possible to masquerade as me it is not as easy and would require work and research by the perpetrator. It is of course easier to become me if I don’t already have a Facebook account, a villain could create one for me and assume my role. Something for all of those that gleefully tell me they never use Facebook to think about.
No comments:
Post a Comment