Facebook Privacy Settings Putting Users At Risk

A security company is urging Facebook to tighten its default privacy settings after a study showed that a large majority of users are offering up far too much personal information to keep them safe from cybercriminals.

Sophos researchers reported their recommendations Tuesday after they took a random snapshot of 200 users in the London Facebook network, which is the single largest geographic network on the site, with more than 1.2 million members. They said they found that 75% of the social network's users allow their profiles to be viewed by any other member, regardless of whether or not they have agreed to be "friends"

It's not just a concern for individual users, either.

Sophos researchers noted that 25% of Facebook users revealed information relating to their work on their profiles, offering up details that could be used by cybercriminals to commit corporate ID fraud or infiltrate company networks.

"You wouldn't yell out your personal information in Times Square, so why would you post it for all to see online?" asked Graham Cluley, senior technology consultant at Sophos, in an e-mailed interview with InformationWeek. "The danger is that they might be sharing too much information, which they don't want strangers to see -- for instance, date of birth, personal photos, addresses, and other contact details... The information may be all that a cybercriminal needs to construct a highly targeted phishing e-mail or identity theft."

Cluley said they've seen evidence that the same amount of Facebook users in other geographic areas, such as the United States, expose their personal information to complete strangers.

He added that with more than 421,000 members in New York, 866,000 members in the Toronto area, and 476,000 in Vancouver, the social networking site can be extremely enticing for cybercriminals looking for prey. The Sophos study showed that 54% of users in the London network show their full date of birth, which is key information for identity thieves. Approximately 12,000 Londoners even give out their phone number to more than a million strangers.

Facebook is made up of thousands of networks around the world. Users are encouraged to join them in order to meet and make friends with people in their area. However, Sohpos pointed out that joining a network automatically opens a user's profile to every other member of the network.

Representatives with Facebook couldn't immediately be reached for comment.

"I was flabbergasted when I joined a network on Facebook using a profile which I thought was secure, only to find Facebook had changed a number of settings and was opening me up to millions of strangers," said Cluley. "Who was to say that cybercriminals weren't in that network, too? Is it right that Facebook works this way?"

Cluley also noted that if users look at their privacy settings, they should be able to see that they are sharing their data with other network members. "However, our suspicion is that most Facebook members are having too much fun zombie-biting each other or sending each other virtual cocktails to check if Facebook has silently changed their settings," he added.

He also said that Facebook should change the way the site handles profiles so they are hidden rather than visible by default.

"While Facebook's privacy features are far more sophisticated than competing social networking sites, too many members still aren't getting the message about how to use them effectively to help protect against ID theft," Cluley added. "Facebook has ultimately put these privacy options in place to protect its flock, so perhaps it's time for the networking phenomenon to take the next step and change its default settings so that when members join a network, they have to actively click to leave their details on show, rather than automatically letting it all hang out online."

In August, a study was released showing that workers at the office using social networking sites, like Facebook, are costing employers more than $5 billion a year and are putting corporate networks at risk of attack.

If one employee spends one hour of company time on Facebook every day, it potentially costs his or her employer more than $6,200 per year, according to security company SurfControl. Factored across 800,000 businesses, that one wasted hour a day adds up to a productivity loss of $5 billion annually.