Could a rubber duck steal your identity on Facebook?

Filed Under: Data loss, Facebook, Social networks, Video

Two years ago, I took a small plastic frog given to me by my nephew, and used it to demonstrate how easy it was to extract personal information from complete strangers on Facebook.

Now, Sophos's Australian office has conducted the experiment again - and this time they found an even higher proportion of people were prepared to risk having their identity stolen.

With a $2 rubber duck they named Daisy Felettin, they created the profile of a 21-year-old single woman and sent out 50 friend requests to randomly-chosen strangers in the same age group.

With a picture of two cats on a rug they created 50-something housewife Dinette Stonily, and - again - sent out 50 friend requests to strangers in "her" age range.

The results are, quite frankly, disturbing.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Paul Ducklin (yes, that really is his name..), Sophos's head of technology in Asia Pacific, who oversaw the investigation, discovered that 46% of users approached were happy to become friends and revealed personal information to Daisy the rubber duck - despite having no clue who she was.

In fact, 89% of Daisy's new friends had published their full date of birth, 100% had revealed their email address, alongside other personal information which could be a boon to identity thieves and spammers.

Daisy the duck on Facebook

Dinette's newly found friends, however, were of an older demographic and were typically less willing to share their full date of birth (although in many cases it could still be derived from other information they provided), but an astonishing 23% were willing to offer their phone number. Additionally, an eyebrow must be raised as to why this older age group claimed to have 932 Facebook friends on average (the younger crowd had 220). How is it possible to ever call that many people "friends"?

Ten years ago it would have taken several weeks for con artists and identity thieves to gather this kind of information about a single person. Social networks have made it easier for the bad guys to scoop up information about innocent members of the public. Everyone must learn to be more careful about how they share information online, or risk becoming the victims of identity thieves.

Learn more about the Sophos investigation into how easy it easy to steal identities on Facebook, and advice from expert Paul Ducklin, on his blog.

, , , , ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and, and circle him on Google Plus for regular updates.