Users of the Facebook social networking site are too gullible in giving up personal information, making them targets for identity theft, according to Sophos research.
Sophos fabricated a Facebook profile and asked 200 Facebook users at random to give up personal information. Sophos says its probe involved setting up a profile page for "Freddi Stauer," an anagram for "ID Fraudster," displaying a small green plastic frog that divulged personal information about the fictitious Freddi. Using Freddi as the front, Sophos sent out 200 friend requests to find out how many people would respond and what kind of personal information could be collected from the Facebook users.
"It's extremely alarming how easy it was to get users to accept Freddi," said Ron O'Brien, senior security analyst at Sophos, which makes security products for anti-malware and network-access control for business.
Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.
Sophos says in most cases, Freddi also got access to respondents' photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.
Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother's maiden name - the old standard used by many financial and other web sites to get access to account information.
Most people wouldn't give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O'Brien says.
According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social networking site may pose a threat to corporate security.
"They can put a significant strain on the network and can also expose confidential corporate data to malicious outsiders," O'Brien says.