Blog
The Architxt's Journal

Feeds

RSS | Atom

the Architxt's Journal

13 Oct '09 | New Media Thoughts

Is Facebook helping phishers hack email accounts?

Social networks contradict themselves when they state in their terms that users should not share their accounts and passwords and then ask people, duing sign-up, to submit their web mail details to ‘invite’ their friends too register too.

Earlier this month thousands of email accounts from providers such as Hotmail, Google Mail and Yahoo! Mail were compromised. If you haven’t heard about that you can read up about it on the The Times Online.

Microsoft blamed phishing schemes rather than breaches in their own system — We are aware that some Windows Live Hotmail customers’ credentials were acquired illegally by a phishing scheme and exposed on a website

Google’s statement started on a similar note — This is not a breach of Gmail security, but rather a scam to get users to give away their personal information to hackers.

Facebook should take some of the blame

And so should MySpace, Friendster and other social networks out there that feature email harvesting functions that require users to submit their email account’s login details. Such as Facebook’s Friend Finder function – Step 2 of the sign up process:

Facebook's first step of the sign up process

The system works like this. You enter your Yahoo! Mail login details, for example, and a Facebook script will extract email addresses from your contacts list and fire off an email inviting them to join Facebook too.

It is a useful tool, I admit, but a risky one for 2 reasons:

  • Are we 100% sure that log in details are not being recorded? Perhaps some criminally minded engineer is recording all this info on a USB stick…
  • If Facebook and Myspace are doing this people will think that it’s a standard feature for social networks and that it’s OK to share their login details. Would you do the same on some obscure site?

Ironically, Facebook’s prohibits this kind of thing

Point 4.6 of their terms states:

You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.

I posed this question to Mozelle Thompson, a former TC Commissioner and a legal consultant at Facebook the other day (he was in town for a IAPP conference and gave a talk where I work) and his reply was that it is a very useful tool and that, ultimately, it’s user has a choice to use it or not. Not much of an answer.

Less marketing, more security

I doubt that social networks will want to give up such a viral tool so I’m wondering whether email providers can put a stop at this practice. Surely they’re unhappy about it?

Advert

  1. My account has been hacked Please help me.

    By Geraldine Narul on Nov 23, 08:11 PM | #

  2. Hi Geralidine,

    I’m afraid I can’t be of help.

    You should contact facebook directly perhaps reading their FAQs about security first.

    By Lawrence on Nov 23, 08:34 PM | #

  3. .net mag have published an article that echo my concerns:

    The great password scandal

    I hope that this will help raise awareness of the issue.

    By Lawrence on Nov 26, 11:17 PM | #

  4. i found your link on .net’s blog. i am so glad this is being addressed somewhere on the web! i never use this function – if i want to be friends with those people i’ll do it myself. i don’t even like the applications because they get access to everyone you’re friends with. it’s all marketing data. ugh.

    By rayna diane on Nov 30, 07:17 AM | #

  5. rayna, it would be interesting to know what % of users of social network do use ‘Friend Finder’ functions. Given they tend to be designed as integral part of sign-up process — with small ‘skip this’ links placed out of the way — I suspect this figure is high.

    I hope that .net’s article sparks a wider debate and perhaps some best practice too.

    By Lawrence on Nov 30, 11:33 AM | #

  1. Comment form

    Comments that are offensive / off topic / spam will be deleted.




    Your email address will not be published



    Include the http:// bit


      (Do you want the site to remember / forget your details?)

     

  2. Comment form

    Comments that are offensive / off topic / spam will be deleted.




    Your email address will not be published



    Include the http:// bit


      (Do you want the site to remember / forget your details?)

     

  3. Comment form

    Comments that are offensive / off topic / spam will be deleted.




    Your email address will not be published



    Include the http:// bit


      (Do you want the site to remember / forget your details?)

     

  4. Comment form

    Comments that are offensive / off topic / spam will be deleted.




    Your email address will not be published



    Include the http:// bit


      (Do you want the site to remember / forget your details?)

     

  5. Comment form

    Comments that are offensive / off topic / spam will be deleted.




    Your email address will not be published



    Include the http:// bit


      (Do you want the site to remember / forget your details?)