Sophos set up a profile page for Freddi Staur (an anagram of "ID Fraudster"), a small green frog who said almost nothing about himself. Sophos then sent out 200 random friend requests to see how many would respond, and how much personal information they would supply.
From 87 responses
• 72% gave one or more e-mail addresses
• 84% listed their full date of birth
• 87% gave details about their education or workplace
• 78% listed their current address or location
• 23% gave their current phone number
• 26% provided their instant messaging screen name
Many also disclosed the names of their spouses or partners, several included their complete work histories, and one gave his mother's maiden name.
Some unwittingly enabled Freddi to gain access to their profile information simply by sending response messages such as "Who are you?" and "Do I know you?" back to his Facebook inbox. This allowed the initial sender to view their profile information for the next seven days.
Sophos said users can protect their profiles from such exposure by adjusting the privacy controls in their Facebook account settings.
Graham Cluley, senior technology consultant at Sophos, said, "While accepting friend requests is unlikely to result directly in theft, it is an enabler, giving cyber-criminals many of the building blocks they need to spoof identities, to gain access to online user accounts, or potentially, to infiltrate their employers' computer networks."
Sophos has published a best-practice user guide for behaving securely on Facebook and other social network sites.
Comment on this article: firstname.lastname@example.org