I’m ur Facebook, using ur mom’s maiden name

23 July 2007

Another day, another Facebook/MySpace security scare story:

People who use social networking sites are putting themselves at risk of identity theft, a credit information group has warned.

Members of sites such as MySpace, Bebo, Facebook and Friends Reunited may be revealing too much personal information online.

Criminals could use these details to steal someone’s identity and apply for credit and benefits in their name, according to credit information group Equifax.

So far no-one has actually showed that “identity thieves” have actually used social networking sites for such purposes, but that can be forgiven, they could just be cautious. And it’s true that the kind of information that could be used to gain access to sensitive data is put on these websites. What is objectionable is how this is somehow being spun as a flaw or fault in Facebook/MySpace when the truth is the total opposite: it is a flaw of the protocols banks and other institutions currently use.

The “security measure” of using your postcode, date of birth, hometown or mother’s maiden name to confirm your identity is and always has been a false one, a means of security theatre rather than proper protection, as none of these “private” details are either secret or revocable. Even if social network sites did not exist, it wouldn’t take much effort to wheedle out this kind of semi-private information from people (cold calling pretending to be from a polling organisation, or someone in the street with a fake petition, for example – wouldn’t work all the time but it could work enough). And if your date of birth or postcode is compromised, you cannot do anything to change it to re-establish the security of your account.

The answer to this security problem is not that people should be careful about giving this sort of information out, but that we need to come up with better means of authentication. Systems that allow you to choose your own password are more secure than ones that force it upon you – even if people will more often than not choose the obvious. But to do this would mean that banks, credit card firms and utlility companies have to reform their own security protocols and make the effort educate their customers on how to choose more secure means of authenticating themselves, and that’s much harder (and more expensive) than a scaremongering press release pointing the finger at somebody else.


One Response

Apart from anything else, the whole mother’s maiden name/first school/first pet thing is so obviously pre-blogging.There have been times when I’ve wanted to mention my mother’s maiden name – or my mother-in-law’s maiden name, even – to the world at large; the way things are this would be an insanely reckless thing to do, roughly on a par with posting about How I Remember My PIN. It’s a stupid security system (not in a good way) – but it’s the only one we’ve got, so compromising it would only put us at risk. Twits.