In today’s world of social networking sites, finding enough information to impersonate someone is trivial at best. The only difficult part of the process is tracking down an individual from, say, their email address to their profile on a MySpace or Bebo page. With the new OpenSocial initiative, this has become a lot easier to do.
Sites such as Spokeo, Spock and a whole host of others will gladly trawl all available OpenSocial social networks if supplied with an email address of a “friend.” The full list of services implemented depends on the site, but a full list of the services provided by Spokeo is available here. This stuff is a dream come true for identity thieves.
Let’s take an example. I decided to use my own email address and see what I could find out about myself. Now it should be noted that I do not take part in a lot of online social networking, so this should yield higher results in most cases. Also, I deliberately set my status to “public” on the networks that I do frequent for the purposes of the experiment as these services (luckily) will not trawl private pages.
The search showed my Bebo account, Picasa account, my personal blog, my Amazon WishList and all entries I have made to Digg.com. Note that OpenSocial does not include Facebook, so that did not show up. I have been careful to keep personal data off the Web, but had completely forgotten about the Picasa and Amazon pages.
For added effect, I decided to pick one of my friends at random, and just using their email address, to find out as much about them as possible. Obviously I won’t call out the exact details, but here’s a taster: name, address, date of birth, photos, family members, location of work plus full education/work history, phone number, likes/dislikes, pets, and a whole lot more.
Considering that most banks ask for less information than that when changing details, you begin to get an idea of how big an issue this is.
My advice for people out there using social networking sites is to mark your profiles as private wherever possible. You could even use one of the services mentioned above to check what information you have left open—if you are comfortable giving them the logins to your accounts of course.