Another day, another Facebook/MySpace security scare story:
People who use social networking sites are putting themselves at risk of identity theft, a credit information group has warned.
Members of sites such as MySpace, Bebo, Facebook and Friends Reunited may be revealing too much personal information online.
Criminals could use these details to steal someone’s identity and apply for credit and benefits in their name, according to credit information group Equifax.
So far no-one has actually showed that “identity thieves” have actually used social networking sites for such purposes, but that can be forgiven, they could just be cautious. And it’s true that the kind of information that could be used to gain access to sensitive data is put on these websites. What is objectionable is how this is somehow being spun as a flaw or fault in Facebook/MySpace when the truth is the total opposite: it is a flaw of the protocols banks and other institutions currently use.
The “security measure” of using your postcode, date of birth, hometown or mother’s maiden name to confirm your identity is and always has been a false one, a means of security theatre rather than proper protection, as none of these “private” details are either secret or revocable. Even if social network sites did not exist, it wouldn’t take much effort to wheedle out this kind of semi-private information from people (cold calling pretending to be from a polling organisation, or someone in the street with a fake petition, for example – wouldn’t work all the time but it could work enough). And if your date of birth or postcode is compromised, you cannot do anything to change it to re-establish the security of your account.
The answer to this security problem is not that people should be careful about giving this sort of information out, but that we need to come up with better means of authentication. Systems that allow you to choose your own password are more secure than ones that force it upon you – even if people will more often than not choose the obvious. But to do this would mean that banks, credit card firms and utlility companies have to reform their own security protocols and make the effort educate their customers on how to choose more secure means of authenticating themselves, and that’s much harder (and more expensive) than a scaremongering press release pointing the finger at somebody else.