ID fraud and LinkedIn: a marriage made in heaven?

Have just written a pretty extensive blog on identity fraud, off the back of an interview I had with Jason Hart, managing director of authentication firm CryptoCard.

Aside from his current role, Jason has an impressive 17+ year history in the information security business, many of those years spent as an ethical hacker where he tried, and succeeded in most cases, to crack password systems.

As a former ethical hacker, Jason is the perfect person to articulate exactly how easy it is for cyber criminals to obtain the information they need to either socially engineer a cyber attack, crack an account password or commit some other kind of ID fraud. To put it simply: it’s incredibly easy. LinkedIn was highlighted as a particularly rich source of personal information for hackers, and given the social network’s professional slant, this could be a particular concern for IT managers if cyber crims see it as an easy way to compromise an employee’s PC.

The example he gave was of a fraudster trawling the network for any professionals who had just started a new role. They could email the victim pretending to be from HR, or IT requesting certain information or encouraging the user to click on a malicious link. Most would not even query whether this email or the sender was legitimate or not, he claimed.

It’s a simple technique made possible by virtue of the fact far too much info is being posted on these sites and is publicly available when it shouldn’t be. So whose fault is it? Facebook has been criticised in the past for the complexity of its privacy settings, while LinkedIn sent me a fairly unequivocal statement about where it expects the balance of responsibility to lie:

“As a member of LinkedIn, you have full control over what information you share with your connections and beyond.  Privacy settings allow you to control what information you make available to search engines through your public profile, and to control the messages you receive from LinkedIn and other users. The privacy settings also allow you to control visibility and accessibility throughout the web site.”

The problem here is visibility. LinkedIn’s fabled privacy settings are not the easiest to find, and, while certainly more simple to get to grips with than Facebook’s, may still cause some people issues. As with all security and privacy arguments, if usability is compromised too much, it renders any security obsolete. This is, after all, why so many sites still only offer static passwords to authenticate users rather than two-factor systems.

Ultimately though, the rather unsatisfying answer is probably that users will just have to get more savvy, and for savvy read disciplined, at screening their emails.