2. Contents
1.1 Foreword
1.2 Background News
1.3 Research methodology
1.4 Key Findings
- One third (32%) of Facebook profiles contain at least two pieces of personal
information
- Only one per cent of Facebook users had no data points on their
public profiles
- The majority of people do not trust all of their Facebook ‘friends’
- 18-24 year olds have, on average, more than 250 friends, but 81%
say they do not trust all their Facebook friends
- Women and those aged 65 and over are the most trusting of their
Facebook friends
- People are prepared to accept friend requests from a total stranger
- 9% said they would accept an invitation from a stranger if they were
good looking or popular
- Six per cent of users allow anyone and everyone to see their entire profile
- 15% allow everyone to see their date of birth which is a very common
form of account verification
- One in four people are logged into their Facebook account most
or all the time
- Only 14% said they had antivirus or security settings on their
smartphones
1.5 Sample attacks
1.6 Conclusion
1.7 Safeguarding your identity
1.8 Further Information
1.9 About CPP
Social networking users expose passwords online November 2011
3. Introduction 2
1.1 Foreword
During September 2011 Jason Hart, CEO of CRYPTOCard Europe, was commissioned by
CPP to perform a review of 250 public Facebook profiles. The scope of the assessment
was to highlight any information that could relate to an individual’s password and/or
sensitive information and allow a potential targeted attack against the individual by means
of social engineering.
Passwords are based on the psychology behind what people choose as their passwords.
People choose easy patterns on the keyboard, like ‘123456’ or ‘qazwsx’. In addition people
choose their children’s names, birth dates and favourite sports teams.
By understanding a person and looking at their Facebook account it is very easy to use
their social network profile to potentially guess their password. However the password
may have a small twist. Knowing that ‘ronnie’ is popular password for football fans, there
may be different variants like ‘r0nnie’ or ‘ronnie1234’.
During a period of four days, 250 public Facebook profiles were reviewed in order to see if
any of the following information was present within the Facebook profile:
- Interests - First school
- Hobby - Pets name
- Favourite football team - Dates of birth
- Favourite football player - The user’s name
- Childrens names - Maiden name
The risk of having the above information publicly present within Facebook leaves the user
at risk of being targeted by way of an attacker using the information to guess the user’s
Facebook password or any other passwords that the user has in place for personal or
business use.
The two largest forms of risk are based around:
- Password attacking by way of guessing (or ‘brute force’ attack), based on
information uncovered within the public Facebook profile
- Targeted social engineering attacks
Social engineering is similar to hacking in that it is used to gain unauthorised access to
systems or information to commit fraud, network intrusion and industrial espionage,
identify theft or a simple disruption. However, social engineering is generally much easier
than technical intrusion (hacking), as it does not require the technical know-how or
background to be completed successfully. Rather, it simply involves using personal
information. It is extremely difficult to prepare statistical evidence on the impact of such
attacks on individuals because in most cases it will not be known when a social engineer
has stolen information as the majority of attacks go unnoticed and unreported.
Social networking users expose passwords online November 2011
4. 3
1.2 Background News
- Personal details of 10,000 people were stolen from their Facebook accounts
and leaked online according to a hacking group, which claimed responsibility
for the attack. The group, called Team Swastika, briefly posted the file which it
said contained the user names and passwords of Facebook users.1
- Recently, a new software tool emerged which automates social engineering on
Facebook. Unlike hacking software, this tool doesn’t demonstrate any new
The personal theoretical security vulnerability. However, the automation of the social
engineering process may have significant practical security implications as it
details of
can be launched by every script kiddie.2
- The number of people falling victim to identity fraud is rising, with employees
10,000 people and members of the public not doing enough to protect themselves, experts
have warned. A total of 80,000 cases were reported across the UK last year,
were stolen
with victims losing £1,190 on average.3
- Phone hacking fears dominate consumers’ security concerns about new
from their ‘mobile wallet’ payment systems and are likely to hamper UK adoption of new
‘swipe and pay’ smartphone systems.4
Facebook - Mobile malware increased 273% in the first half of this year, with cross-
platform Trojans dominating the landscape.5
accounts and - 40% of mobiles lost or stolen in the last two years were not password
protected.6
leaked online - According to internet service provider, Talk Talk, more than eight million homes
in the UK were targeted by cyber criminals in the first quarter of 2011, with
problems ranging from bombardments by unwanted pop-ups adverts to
full-scale attacks. The Office for National Statistics said that 77% of homes have
internet access, but more than a fifth of users do not believe they possess the
skills needed to protect their personal data.7
1
The Independent, ‘Hackers claim Facebook attack’, 19 October 2011
2
Contingency Today, ‘automated Facebook identity threat’, 20 September 2011
3
The Scotsman, ‘Victims of ID fraud losing £1,190- and it’s on the rise’, 20 October 2011
4
PRNewswire, ‘Intersperience research reveals mobile payment security concerns’, 14 October 2011-10-21
5
SC Magazine UK, ‘Mobile malware rockets this year’, 12 September 2011
6
Walletpop, ‘Would you lose everything if you lost your mobile phone?’, 13 September 2011
7
Managed Hosting News, ‘Cyber criminals targeted 8.5m UK homes in Q1’, 21 September 2011
Social networking users expose passwords online November 2011
5. 4
1.3 Research Methodology
ICM interviewed a random sample of 2,030 adults aged 18+ online between 9-11
September 2011. Surveys were conducted across the country and the results have been
weighted to the profile of all adults. ICM is a member of the British Polling Council and
abides by its rules. Further information at www.icmresearch.co.uk
During September 2011, Jason Hart was commissioned by CPP to perform a review of
250 public Facebook profiles, to identify any information that could relate to an individual’s
password and/or sensitive information that could allow a potential targeted attack against
the individual. At no point during the research was any user’s data or online webmail
accounts compromised.
1.4 Key Findings
One third (32%) of Facebook profiles contains at least two pieces of
personal information
The audit of Facebook profiles showed that one third of Facebook profiles contain at least
two pieces of personal information such as their mother’s maiden name, date of birth,
hobbies or children’s names.
27% of the profiles contained three pieces of personal information and five per cent had
more than six pieces of personal information. Only 1% of Facebook users had no data
points on their public profiles.
Because this information is often used as a password or as an answer to a security
question when users look to reset their online account log-in details, we can conclude that
people are freely adding and publicly showing sensitive information on their Facebook
profiles that can be used against them to either guess or socially engineer their passwords.
How much data was given by each profile?
5% 1%
12%
7% 1 piece
2 pieces
3 pieces
4 pieces
5 pieces
16% > 6 pieces
No data
32%
Source: Jason Hart based on 250
random Public Facebook profiles,
27% September 20111
Social networking users expose passwords online November 2011
6. 5
People revealing data on public Facebook profiles.
80
70
70
60
Individual pieces of data
50
50
40
40
30
60
20
20
10
10
0
0
First School Childrens names
Interests Football team
Employer Email
Hobbies Maiden name
Favourite player Pet’s name
Dates of interest
Source: Jason Hart based on 250 random Public Facebook profiles, September 20111
The majority of people do not trust all of their Facebook ‘friends’
Only 36% of Facebook users profiled trust all of their friends. As the most active social
media users, those aged 18 to 24 are the most likely to publicise their personal information
– and often to complete strangers.
This age group has on average more than 250 friends but 81% say they do not trust all of
their Facebook friends.
Unsurprisingly the number of Facebook friends decrease with age: 18 to 24 year olds (261
friends), 25 to 34 year olds (196 friends), 35 to 44 year olds (120 friends), 45 to 54 year
olds (93 friends), 55 to 64 year olds (65 friends), 65 and over (47 friends).
Women and those aged 65 and over are most trusting of their Facebook friends.
When we asked over 2,000 people if they had ever been a victim of identity fraud that
originated from someone accessing details from any of their social media accounts
(Facebook, Twitter and LinkedIn) 6% said they had, with 10% of 25-34 year olds claiming
to have been a victim of identity fraud via their details having being taken from their
profiles. Given identity fraud is a growing crime; this statistic is high and points to an area
of vulnerability.
Social networking users expose passwords online November 2011
7. 6
The data below shows the percentage of people who trust all their Facebook friends
50 57%
46%
44%
40 38% 39%
Only 36% of 30
33%
Facebook 20
19%
23%
users trust all 60
their friends 10
0
All respondents with an account with Facebook
Male 18-24 45-54
Female 25-34 55-64
35-44 65+
Q: To your knowledge have you ever been a victim of identity fraud that originated
from someone accessing details from any of your social media accounts
(Facebook, Twitter and LinkedIn)
100
Yes No
91% 91% 93%
89% 89% 89% 88%
85%
80
60
40
20
10% 8%
6% 7% 7% 4% 3% 3%
0
All respondents with an account with Facebook
Male 18-24 35-44 55-64
Female 25-34 45-54 65+
Social networking users expose passwords online November 2011
8. 7
People are prepared to accept friend requests from a total stranger
One third (33%) of people admit to accepting an invitation from people they have
never met before with those aged 18-24 most likely to accept a friend request
from a total stranger (50%).
Men were more likely (37%) to accept friend requests from total strangers than
women (29%) although both are surprisingly high.
When we asked ‘why’, a small, but significant minority (9%), said they would
accept an invitation from a stranger, if they were good looking or popular. Some
Facebook users would also accept invitations simply so they can boost the
number of friends they have on their profiles.
15% of Facebook users have not seen or spoken to many of their friends in over
ten years.
Q: Have you ever accepted a friend request on Facebook from a stranger
i.e. someone you don’t know and have never met in real life?
100
Yes No
84%
80 76%
73%
70%
67%
63%
61%
60
50% 49%
37% 38%
40
32%
29%
27%
24%
20 16%
0
All respondents with an account with Facebook
Male 18-24 35-44 55-64
Female 25-34 45-54 65+
Six per cent of users allow anyone and everyone to see their entire profile
Over half (52%) of the social networkers questioned had received friendship requests from
strangers. And despite media publicity around Facebook privacy and security, as well as
identity fraud which shows no sign of abating, 6% allow anyone and everyone to see their
entire profile.
15% of people allow everyone to access their date of birth which is a very common
security question both for online accounts and for contact centre account verification.
Social networking users expose passwords online November 2011
9. 8
More concerning, however, is that ‘friend’ status means a lot more information is
accessible. And with many users accepting friend requests from people they do not know
and two-thirds of people not trusting all their Facebook friends, many users are potentially
putting their identities at risk.
This is surprising given the fact that 49% of people are aware that it is possible to use
Half of personal information accessible on Facebook or other social networking sites in order to
commit identity fraud. Indeed 55% of 18-24 year olds understand this, yet they are the
people are
most likely to have the most friends and least likely to trust them all.
Separately, one in four people are logged onto the site all or most of the time. Given an
aware increasing number of people access Facebook from their smartphones, we have a
developing situation where they are leaving themselves open to impersonation should
personal their handsets be lost or stolen.
When questioned further on their handset security, only 14% said they had antivirus or
information security settings on their smartphones.
on social Q: Who can access the following on your Facebook profile?
networking
80
80
72%
70
70 68%
sites can be 60
60
62%
60%
54%
used to 50
40
40
commit 30
30 27%
identity fraud 20
20
10
12%
7% 8%
11%
17%
20%
11%
7%
13%
11%
8%
13% 13%
10 6%
0
0
Your status, photos Bio and favourite Family and Photos and videos Religious and
and posts quotations relationships you’re tagged in political views
80
80
71%
70
70 67%
60%
60
60
54%
50
50
40
40
31%
30
30 25%
20
20
15%
12% 12%
10
10 7% 8% 9% 9%
6%
8%
5%
0
0
Birthday Permission to comment Places you check into Contact information
on your posts
Everyone Friends of friends Friends No one
Social networking users expose passwords online November 2011
10. 9
Examples of how personal details visible on Facebook can be used by hackers:
Information type Potential Impact Rsk Factor
First School First school is often used as a High - if used as the answer to
security question on web-based web-based security questions
applications and social networks
Employer An attacker can use this Medium to high - risk to the
information to conduct a social user and employer
engineering attack to target the
user’s employer
Dates of Interest People that publicly display their High – as DOB is used by most
date of birth are open to banks as one form of
different forms of identity fraud identification
Email Address This allows the user to become a Medium to high – based on if
potential target to password the user is using a web based
reset attacks and is a potential email address
way to start spear phishing
attacks
Maiden Name People that publicly display their High – maiden name is used by
maiden name also leave family most banks as one form of
members open to different identification
forms of identity threat
Social networking users expose passwords online November 2011
11. 10
1.5 Sample Attacks
The review concludes that people are freely adding sensitive information to their Facebook
profiles without understanding the possible implications of the data being publicly
available. There are several methods to attempt to determine a user’s password, based on
information posted on the user’s social network profile.
- Looking for answers to password reset questions. Users of social
networks sometimes inadvertently reveal information that could be used to
reset passwords either on the social network itself or on popular webmail
services such as Google, Hotmail and Yahoo! Mail. For example, on a user’s
Facebook profile you are likely to find information like mother’s maiden name,
place of birth, the colour of their first car and so on. These questions are similar,
if not identical, to many password reset functions of popular webmail or even
online banking services. If an attacker can gain access to the user’s webmail
People are account using this method, all it takes is using the password reset functionality
on the social network to send a new password (or reset link) to the e-mail
freely adding account, which becomes under the attacker’s control.
- Guessing the password. It may seem very trivial to think about, but based on
sensitive the public information you find on a user’s Facebook profile, you can guess the
password. For example, try their favourite foods and drinks, family names, as
information to well as hobbies and sports teams.
- Creating a word list. There are a number of tools that are available on the
their web that can collect keywords from a web page (Facebook profile) and put
them into a wordlist. Once the list has been created the list can be used to
Facebook conduct a ‘brute force’ password attack using the wordlist. The accuracy of the
attack is largely dependent on how well the web application being targeted
profiles employs any brute force prevention mechanisms.
In order to show an example of an attack we have taken one of the profiles uncovered
without during the audit and have seen if it would be possible for an attacker to undertake a
password reset attack on this user’s webmail account.
understanding The attack is based on a five step process:
the serious - Uncovering webmail address on Facebook
- Accessing the password reset webpage for the target webmail account
implications - Forcing the webmail service to reveal the secret question
of doing so - Reviewing the Facebook profile to find the answer to the secret question
- Resetting the Webmail password
In order to show the process in action, please refer to the screen shots below. At no point
during the Facebook audit or writing this report was any user’s data or webmail accounts
compromised.
Social networking users expose passwords online November 2011
12. 11
Step 1
A review of the Facebook audit showed that 9% of the profiles were publicly showing the
user’s webmail email address:
Step 2
Once an attacker has the e-mail address they are able to go to the webmail service based
on the email address and click on the ‘Forgot your password?’ button. In this case we are
using Hotmail as the example, but all webmail systems work in the same way:
Step 3
The attacker is then requested to enter the email address of account is looking to reset:
Social networking users expose passwords online November 2011
13. 12
Step 4
Reviewing of the Facebook profile reveals the name of the favourite football team
Step 5
The attacker is able to reset the password and gain full control and access to the
users e-mail account.
1.6 Conclusion
The review has recognised that people are putting themselves at great risk by not
knowing the potential threats of having their passwords guessed or hacked. Social
networks are designed to allow sharing of personal information with others.
Without this sharing, social networks would cease to exist. However, protecting
and controlling access to personal information does not seem to be a consideration
for many users.
The more information people share with the world the more valuable and
vulnerable they are to hackers. People need to understand that their privacy and
risk of being a target is mostly dependent on what they are posting on Facebook
and other social networking sites, as well as how privacy settings are configured
for each social network site they are a member of.
Social networking users expose passwords online November 2011
14. 13
1.7 Safeguarding your identity
Danny Harrison is Head of Data and Identity Protection at CPP and offers the following
advice to consumers to help protect them from data loss. Danny has over ten years’
experience and is responsible for CPP’s mobile phone assistance and insurance products
Review your that insure against lost, stolen and damaged handsets, and also assists people in the event
of lost data.
privacy Danny is media trained across print and broadcast and is available for media interviews on
the issue of data security and identity fraud.
settings Users have to start considering ways of mitigating risks by ensuring that they use some
basic guidelines around password creation and management. With social networks,
- social personal responsibility of information and data is key. The following recommendations will
help prevent password guessing and ‘brute force’ attacks against users.
networks Having a unique password for every website: Suppose your Facebook account or
webmail gets hacked and you have the same password for every website. This means that
generally have you have effectively compromised all the accounts that use that same password. Always
create a unique password for each website you use.
default Personal Information: Ensure that you are not posting any personal information on
Facebook that can be used against you, for example date of birth, mother’s maiden name,
settings that email address etc.
Enforce Two factor authentications: A number of web based applications and social
allow networking sites now provide users with the ability remove the need for static passwords
and allow them to enable two factor authentication, thus totally removing the risks of the
everyone to user’s password being compromised.
view your
Privacy settings on your social network profiles: Review the privacy settings on your
social networks to ensure they meet your expectations. Social networks generally have
default settings that allow everyone to view your information.
information
For further information please contact:
Nick Jones
Head of Public Relations
CPPGroup Plc
Holgate Park
York
YO26 4GA
www.cppgroup.plc
Tel: 01904 544 387
E-Mail: nick.jones@cpp.co.uk
Social networking users expose passwords online November 2011
15. 14
CPP is an award-
winning organisation:
- Top 50 Call Centres for
Customer Service, 2009,
2010 and 2011
- Finalist in the Plc Awards,
New Company of the Year,
2011
- Winner in the European
Contact Centre Awards,
Large Team of the Year
category, 2010
- Finalist in the European
Contact Centre Awards,
Best Centre for Customer
Service, Large Contact
Centre of the Year
categories, 2010
- Finalist in the National 1.8 About CPP
Sales Awards, Contact
Centre Sales Team of the Corporate Background Information
Year category, 2010
The CPPGroup Plc (CPP) is an international marketing services business offering bespoke
- Finalist in the National customer management solutions to multi-sector business partners designed to enhance
Insurance Fraud Awards,
Counter Fraud Initiative of their customer revenue, engagement and loyalty, whilst at the same time reducing cost to
the Year category, 2009 deliver improved profitability.
- Finalist in the European This is underpinned by the delivery of a portfolio of complementary Life Assistance
Contact Centre Awards, products, designed to help our mutual customers cope with the anxieties associated with
Large Team and Advisor of the challenges and opportunities of everyday life.
the Year categories, 2009
Whether our customers have lost their wallets, been a victim of identity fraud or looking
- Named in the Sunday for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to
Times 2008
Pricewaterhouse Coopers enjoy life. Globally, our Life Assistance products and services are designed to simplify the
Profit Track 100 complexities of everyday living whether these affect personal finances, home, travel,
personal data or future plans. When it really matters, Life Assistance enables people to live
- Finalists in the National life and worry less.
Business Awards, 3i
Growth Strategy category, Established in 1980, CPP has 11 million customers and more than 200 business partners
2008 across Europe, North America and Asia and employs 2,300 employees who handle
- Finalist in the National millions of sales and service conversations each year.
Business Awards,
Business of the Year In 2010, Group revenue was £325.8 million, an increase of more than 12 per cent over the
category, 2007, 2009 and previous year.
Highly Commended in
2008
In March 2010, CPP debuted on the London Stock Exchange (LSE).
- Named in the Sunday What We Do:
Times 2006, 2007, 2008
and 2009 HSBC Top Track CPP provides a range of assistance products and services that allow our business partners
250 companies to forge closer relationships with their customers.
- Regional winner of the We have a solution for many eventualities, including:
National Training Awards,
2007 - Insuring our customers’ mobile phones against loss, theft and damage
- Winner of the BITC Health, - Protecting the payment cards in our customers’ wallets and purses, should
Work and Well-Being these be lost or stolen
Award, 2007
- Providing assistance and protection if a customer’s keys are lost or stolen
- Highly Commended in the
UK National Customer - Providing advice, insurance and assistance to protect customers against the
Service Awards, 2006 insidious crime of identity fraud
- Winner of the Tamworth - Assisting customers with their travel needs be it an emergency (for example
Community Involvement lost passport), or basic translation service
Award, 2006. Finalist in
2008 - Monitoring the credit status of our customers
- Highly Commended in - Provision of packaged services to business partners’ customers
The Press Best Link
Between Business and
Education, 2005 and 2006.
Winner in 2007 For more information on CPP please visit www.cppgroupplc.com
Social networking users expose passwords online November 2011