Facebook Users Expose Passwords Online
NEW YORK, October 11, 2011 /PRNewswire/ –
CPP calls on people to separate personal information from online
Social media users are increasing their chances of identify fraud, by
providing clues to their online passwords.
A study from security expert, Jason Hart, commissioned by life
assistance company CPPGroup Plc (CPP) [http://www.cppgroupplc.com ] has
revealed that one third (32%) of Facebook profiles contain at least two
pieces of personal information such as their mother’s maiden name, date of
birth, hobbies or children’s names. This information is often also used as a
password or as an answer to a security question when users look to reset
their online account log-in details.
In the study, details including the name of the user’s first school
(64%), employer (46%), dates of birth (25%), children’s names (25%) and
favourite football team (17%) were found to be visible on many people’s
As the most active social media users, those aged 18 to 24 with a
Facebook account are the most likely to publicise their personal information
- and often to complete strangers. This age group has on average more than
250 friends but 81% say they do not trust all of their Facebook
‘friends’. Half (50%) have accepted a friend request from a total stranger
and 9% would accept an invitation from someone they did not know if they
were good looking or popular.
But it’s not just the 18 to 24 year olds who are making themselves
vulnerable – users of all ages are putting themselves at risk. One third
(33%) of all those with a Facebook account admit to accepting an invitation
from people they had never met before, with 38% confessing they don’t
know everyone they are friends with on the site.
Over half (52%) of the Facebook account holders questioned had received
friendship requests from strangers. And despite recent media controversy
around privacy and security on the site, one in twenty (6%) users allow
anyone and everyone to see their entire profile.
Danny Harrison, CPP [http://www.cpp.co.uk ]‘s Identity fraud specialist
is calling on individuals to not use personal information for online
passwords or security questions.
“It isn’t a good idea to use personal information for passwords online.
Sharing is the whole point of Facebook and other social media sites, so
users are naturally going to promote their personal information online. The
problem is this information could be used by fraudsters to reset passwords
and access people’s online accounts. To compound the problem, there are
tools available online that can capture keywords from a website, including a
Facebook profile, and others which will trial variations of the identified
keywords until a password match is found.
For this reason, we are advising people to not use personal information
as a means to verify their online identity and facilitate access to their
Personal information most commonly used as passwords:
1) Interests 2) Hobby 3) Favourite football team 4) Favourite football player 5) Children's names 6) First school 7) Pet's name 8) Dates of Birth 9) The user's name 10) Maiden name
Examples of how personal details visible on Facebook can be used by
Information Type Potential Impact Risk Factor High - if used as the answer to First school is often used as a security web-based question on web- based applications and security First School social networks questions An attacker can use this information to Medium to High - conduct a social engineering attack risk to the user Employer to target the user's employer and employer High - as DOB is People that publicly display their date used by most Dates of of birth (DOB) are open to different banks as one form Interest forms of identity threat of identification Medium to High - This allows the user to become a based on if the potential target to password reset user is using a attacks and is a potential way to start web based email Email Address spear phishing attacks address High - maiden People that publicly display their name is used by maiden name also leave family members most banks as one open to different forms of identity form of Maiden Name threat identification
CPP’s top tips on protecting your personal data on social networking
- Set a unique password for every website: Always create a unique password for each website you use - Personal information: Ensure that you are not posting any personal information on Facebook that can be used against you, for example date of birth, mother's maiden name or your email address - Enforce two-factor authentications: A number of web based applications and social networking sites now provide users with the ability remove the need for static passwords and allow them to enable two-factor authentication - removing the risks of your password being compromised - Privacy settings on your social network profiles: Review the privacy settings on your social networks to ensure they meet your expectations. Social networks in general initially set privacy settings to defaults that allow anyone to view your information - Don't use personal information to verify your online identity: If possible utilise other information or codes to construct a password, and consider using false information when asked to create a security question and answer
ICM interviewed a random sample of 2030 adults aged 18+ online between
9-11 September 2011, of whom 1,281 had a Facebook account. Surveys were
conducted across the country and the results have been weighted to the
profile of all adults. ICM is a member of the British Polling Council and
abides by its rules. Further information at http://www.icmresearch.co.uk
During September 2011 Jason Hart was commissioned by CPP to perform a
review of 250 public Facebook profiles, to identify any information that
could relate to an individual’s password and/or sensitive information that
could allow a potential targeted attack against the individual. At no point
during the research was any user’s data or online webmail accounts
Corporate Background Information
The CPPGroup Plc
The CPPGroup Plc (CPP) is an international marketing services business
offering bespoke customer management solutions to multi-sector business
partners designed to enhance their customer revenue, engagement and loyalty,
whilst at the same time reducing cost to deliver improved profitability.
This is underpinned by the delivery of a portfolio of complementary Life
Assistance products, designed to help our mutual customers cope with the
anxieties associated with the challenges and opportunities of everyday life.
Whether our customers have lost their wallets, been a victim of identity
fraud or looking for lifestyle perks, CPP can help remove the hassle from
their lives leaving them free to enjoy life. Globally, our Life Assistance
products and services are designed to simplify the complexities of everyday
living whether these affect personal finances, home, travel, personal data
or future plans. When it really matters, Life Assistance enables people to
live life and worry less.
Established in 1980, CPP has 11 million customers and more than 200
business partners across Europe, North America and Asia and employs 2,300
employees who handle millions of sales and service conversations each year.
In 2010, Group revenue was GBP325.8 million, an increase of more than 12
per cent over the previous year.
In March 2010, CPP debuted on the London Stock Exchange (LSE).
What We Do:
CPP provides a range of assistance products and services that allow our
business partners to forge closer relationships with their customers.
We have a solution for many eventualities, including:
- Insuring our customers' mobile phones against loss, theft and damage - Providing assistance to cancel and reorder customer's payment cards should these be lost or stolen - Providing assistance and protection if a customer's keys are lost or stolen - Providing advice, and assistance to help customers in the event their identity is fraudulently used - Assisting customers with their travel needs be it an emergency (for example lost passport), or basic translation service - Monitoring the credit status of our customers - Provision of packaged services to business partners' customers
CPP is an award winning organisation:
- Top 50 Call Centres for Customer Service, 2009, 2010 and 2011 - Finalist in the Plc Awards, New Company of the Year, 2011 - Winner in the European Contact Centre Awards, Large Team of the Year category, 2010 - Finalist in the European Contact Centre Awards, Best Centre for Customer Service, Large Contact Centre of the Year categories, 2010 - Finalist in the National Sales Awards, Contact Centre Sales Team of the Year category, 2010 - Finalist in the National Insurance Fraud Awards, Counter Fraud Initiative of the Year category, 2009 - Finalist in the European Contact Centre Awards, Large Team and Advisor of the Year categories, 2009 - Named in the Sunday Times 2008 PricewaterhouseCoopers Profit Track 100 - Finalists in the National Business Awards, 3i Growth Strategy category, 2008 - Finalist in the National Business Awards, Business of the Year category, 2007, 2009 and Highly Commended in 2008 - Named in the Sunday Times 2006, 2007, 2008 and 2009 HSBC Top Track 250 companies - Regional winner of the National Training Awards, 2007 - Winner of the BITC Health, Work and Well-Being Award, 2007 - Highly Commended in the UK National Customer Service Awards, 2006 - Winner of the Tamworth Community Involvement Award, 2006. Finalist in 2008 - Highly Commended in The Press Best Link Between Business and Education, 2005 and 2006. Winner in 2007
For more information on CPP click on http://www.cppgroupplc.com
1. According to the ICM research, 19% of 18-24 year old Facebook users
say they trust everyone they are friends with on Facebook. 100% – 19% = 81%
2. According to the ICM research, 62% of 18-24 year old Facebook users
say they know everyone they are friends with on Facebook. 100% – 62% = 38%
3. According to research and analysis by Jason Hart
4. Social engineering is a term used to describe accessing needed
information (for example, a password) from a person rather than breaking
into a system. Social engineering is similar to hacking in that it is used
to gain unauthorised access to systems or information to commit fraud,
network intrusion, industrial espionage, identify theft or a simple
disruption. However, social engineering is generally much easier than
technical intrusion (hacking), as it does not require the technical know-how
or background to be completed successfully. Rather, it simply involves
having personal information.