The Green Sheet Online Edition
March 23, 2009 • Issue 09:03:02
Antisocial online networking: ID theft
In a March 3, 2009 webinar, Melih Abdulhayogulu, Chief Executive Officer and Chief Security Architect for Internet security company Comodo, said the social networking Web site Facebook "is like a car with no seatbelt." The comment was made during a discussion of identity theft occurring through online social platforms.
In assessing the potential scope of the problem, Abdulhayogulu compared social networking to "phishing" scams perpetrated in the last decade. Phishing involves predators posing as banks or other trusted institutions to elicit sensitive information from e-mail users.
He said that phishing started "as a joke" in 1999 and 2000, but has since "become a multibillion dollar industry" and that data theft on social networks could mushroom in the same way.
"Phishing [uses] e-mail as a platform to distribute the spread [of fraud], whereas now we have social networking that allows itself to be the distribution network," Abdulhayogulu said.
He believes large-scale prevention is feasible but would require measures from both the users of social networking sites and the companies, like Facebook, who operate them.
"There is no single silver bullet - there has to be a layered approach," he said. He enjoined users not to share sensitive information online and to use applications that protect against malware. But he reserved most of his criticism for the online companies.
"We need to start utilizing the next level of [data security] technology," he said, adding that banks are already using such technology, as required by the Federal Deposit Insurance Corp.
"There's no reason why Facebook shouldn't be using those technologies to secure access for users."
Abdulhayogulu pointed out that, in general, the methods of identity verification used in the United States are outmoded. He added that less vulnerable identifiers are already in use in Europe.
"The systems we rely on are 50, 60, even 70 years old," he said. "We have to change what makes you unique. We use Social Security numbers, and nowadays there is no security around a Social Security number or your surname or your address.
"So what we [need to] change is what is used as a unique identifier, and once we put in cryptographic abilities ... it will be very difficult to forge." Abdulhayogulu also urged that we not wait for a "9/11 effect" before securing social network sites.
"We've seen this over and over - that technology adoption happens; then something happens that make us think twice; then we try to include security," he said. "Banks have been able to keep [scams] under wraps to a level by simply giving out the money people lose from phishing... but social networks are not going to be able to compensate their users."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.