Online social networks and data security

The use and adoption of Online Social Networks (OSNs)  such as Facebook, Twitter and LinkedIn are increasingly prolific in South Africa, bringing with them the benefits of social connections, marketing opportunities and to a certain extent widened political discourse.

However, along with the great rewards of online social networks come great risks – few of which have been investigated or highlighted on our shores.

With a network like Facebook, which boasts more than 800 million users globally on PCs, laptops, tablets or mobile platforms, it is not difficult to see why those with dishonourable intentions would invest resources in finding ways to access the wealth of data that users voluntarily disclose.

Facebook users are already under siege from viruses, malware, tools, social engineering attacks, spear phishing, identity theft, third party applications and most recently, Online SocialBots (malicious ‘bots’ that hack and assume control of social media accounts or that “crawl” through your  social network  covertly stealing sensitive profile data) .

While the security settings in an environment like Facebook offer users the opportunity to barricade their information, many are not aware of these settings or even of the potential damage that can be caused by the deluge of ‘hacking’ tools and social engineering techniques used by criminal syndicates.

A recent experiment conducted at British Columbia University saw the research team creating its own Online SocialBot Net that could create Facebook profiles, and send and accept friend requests. The SocialBot Net created more than 100 believable Facebook profiles using information from the network, which then sent out friend requests to random people.

The ‘Bots’ made between 20 and 80 friends each, collecting every bit of data about their new ‘friend’ through Facebook – because even the most secure settings allow access to your ‘friend’s’ information. What is even more alarming though is that Facebook’s security system only picked up 20 of these Bots – which means that 80% of the threat to data security continued its work without being noticed.

It is clear that this was done in an experimental capacity, but it is expected that such attacks will become more prevalent as access to social networks increases with the growing reach of Internet accessibility. In low-cost labour environments such as India and China, workers are employed to create Facebook profiles that are then used to harvest data for marketing purposes.

What is worth noting, however, is that it is not only economic criminals who use underhanded means to access private information on social networks. Governments have used similar methods to monitor their citizens’ behaviour and beliefs, often responding to this information with legal action at the least, and physical violence or execution at the worst.

For example, the “Great Firewall of China” is the colloquial term given to the more than 60 laws and Internet regulations put in place by the government of the People’s Republic of China, and implemented by provincial branches of state-owned ISP, companies and other organisations.

These restrictions are the most stringent in the world, and are used to both block content and to monitor the Internet usage of citizens. Offences for which online users have been jailed include signing petitions, communicating with groups abroad, and calling for government reform.

In the United States, Americans are grappling with two proposed bills – Stop Online Privacy Act and Protect IP Act – which, similar to the South African Protection of State Information Bill, conflict directly with the freedom of speech that has become synonymous with the online environment.

The German government was recently found to have been monitoring the online activities of certain citizens via its ‘Staats Trojen’, which was found to collect private and sensitive data from citizens, and also allegedly provides a backdoor for remote code execution.

The role of social media in the popular uprising in Egypt in 2011 has been widely discussed in terms of how it was used to mobilise protests, but raids on the offices of the Egyptian secret police revealed documents outlining the purchase of FinFisher software which allowed the government to eavesdrop on and monitor all online communications between citizens. Transcripts of Facebook and Twitter activity were also found.

It should be the responsibility of the social networks themselves to protect information and educate their clients about security within their ecosystems. Online social networks are privately owned entities and exist for profit, and the use and protection of that data is at the discretion of whoever owns the network.

These networks are obliged to follow the law of the countries in which they were founded, so the regulation of how the networks each use these resources is governed by law. However, the law is not the same in every country, and users should not operate with the understanding that their country’s legislation will govern what happens on a network that is hosted abroad.

What is the way forward?

With great rewards come great risks, and there is no doubt that social networking will continue to play a huge part in our lives from a personal, professional, commercial, activism and citizenship point of view. It falls on both the service providers and the users of social networks to take an active role in securing the wealth of data that is freely uploaded every day.

Although the British Columbia University students breached Facebook’s security with relative ease, the network invests millions of dollars in security, and has provided a bounty to those who  identify and report security flaws or vulnerabilities.

It also encourages ethical (white hat) hackers to provide feedback on their systems, and 89 members of this community have been acknowledged for their input.

Can it be said that security is therefore the responsibility of service providers and consumers of these technologies?

An example of a successful relationship is that of South African Banks and their online customers. Banks spend millions of Rands on security, fraud detection and prevention systems, and more importantly on consumer education around login details and other banking-targeted attacks like phishing.

However,  social engineering attacks like phishing, spear phishing (which targets an attack on a particular customer using data from FaceBook etc), smishing (sms phishing), phone phishing  and online 419 scams are evolving and on the increase in South Africa as the profitability of these attacks for syndicates still remain high, with  minimal effort on the part of the criminal.

The phishing attacks seem to target financial institutions in waves and tend to move from one bank to another. eBucks, First National Bank’s  rewards programme which allocates  rewards to loyal customers, is also subject to these types of attacks. The programme actively defends against the opportunistic criminals who seek to steal the value that our reward offers.

Apart from deploying a plethora of security systems, my team has a large focus on offensive security techniques and tools which we constantly evolve. We also spend significant time and effort educating customers via all our channels around the latest scams, and we promote general online security awareness. This has helped us in successfully defending and limiting the damage done by some of the online scams mentioned.

Consumer education aims to inform customers about the potential dangers that abound in the online realm when it comes to the protection of one’s confidential information, with levels of awareness having increased dramatically in recent times.

However, it is worth noting that the kind of cautionary information given by banks should be applied to any interaction with the online environment: make sure you really know who you are dealing with, and don’t give out unnecessary or compromising personal information to anyone who you don’t trust, once you have established that they really are who they say they are.

If you aren’t comfortable giving a piece of information to a stranger in real life  then you should not share this information online  as essentially it will live in the public domain – the Internet.

When it comes to governments monitoring online social activity, the very real need for state security needs to be balanced with the private rights of citizens, and an immediate challenge is going to be legislation that will respect these often contrasting imperatives. Security and privacy laws and policies will evolve over time to achieve an acceptable balance between governments, online and real world citizens and online corporates.

In the short term, companies planning on entering the social media world need to take cognisance of the issues raised in their drive to make the most of the opportunities offered by the online social networking space. Their plans need to respect the privacy of their target audiences with robust and clear privacy policies and stringent controls of the use of the data of which they have become custodians for both employees and third parties that they engage.

By Kovelin Naidoo, CIO, eBucks