Cyberscams Befriend Social Networks

(page 2 of 2)

Despite their online security expertise, most accepted the request. And once the fake Ranum had several authentic connections within the industry, he looked even more credible to the next target. "I would have expected that the security community would have been a little more paranoid," Ranum says. The experiment proved to Moyer and Hamiel what they had suspected: Users of social networking sites expect little more proof of a friend's identity than a name, a photo, and a few bits of knowledge about their real life. "What if I wanted to get inside IBM (IBM)?" asks Moyer. "What if I had wanted to get inside the [U.S. Defense Dept.]? Who else might Marcus know?"

Enforcement Hurdles

There's no easy solution for the social networking sites themselves. Each major networking site contains terms of service that prohibit posing as another user. "The rules of impersonation are pretty much the same on the Internet as off the Internet," says Gene Landy, principal with Boston-based law firm Ruberto, Israel & Weiner. In both places the severity of punishment hinges on how much harm is intended. Pretending to be an ex-girlfriend and posting embarrassing photos on Facebook, for example, would likely constitute a civil offense, Landy says. But almost any serious attempt at fraud—pretending to be someone else to obtain money or retrieve sensitive information—would likely be tried as a criminal offense, he explains.

Enforcing the rules online can be tricky for social networks that don't want to put off would-be users with a rigorous authentication process. Facebook maintains a long list of blacklisted names that bars users from registering with fictitious names such as Donald Duck and Evil Spock, two of the most popular false IDs, says Facebook's head of security, Max Kelly. The site also prohibits suspicious activity such as spamming users with hundreds of messages. But mainly it falls to users to be vigilant. "If you use Facebook the way we intend people to use Facebook, which is to model your real-world interactions, people won't be able to impersonate someone else," Kelly says. Still, he adds, "I'm not ruling out that we may look at other ways to verify people's identities in the future."

Security expert Moyer admits it would be pretty difficult for LinkedIn to have measures in place to thwart his experiment, but says it and other sites should take some steps to authenticate users. For one, he recommends that new user profiles get stamped with some kind of "born-on date" that displays when the account was created. That could impede scammers who cycle through many new accounts every day. Also, sites should develop some kind of peer warning system that lets users flag others' suspicious activity.

Still, the best prevention method remains educating Web users to be more cautious of people in their networks. "When I get a friend request, I tend to ask people what T-shirt [they] wore the last time we had dinner," Moyer says.

A simpler way to check identity is to spend some time on the person's profile, see how long they've been active, how familiar their friends appear to be, and whether the messages and multimedia they post reflect their personality.

When all else fails, it's probably best to be leery of requests for money or bank account information—especially when they emanate from deposed dictators.

Douglas MacMillan is a staff writer for BusinessWeek.com in New York.