Hackers' Gateway to Identity Theft

by Sonal Desai    Jul 17, 2009

In order to retain customer confidence and also enable active participation by enterprises, social networking sites will need to ensure more robust features such as password reset protection, cross-scripting, virus hosting, etc

A recent incident involving hacking of Twitter has brought to light a weak defence system.

According to information available with TechCrunch, it was sent the Twitter information by a hacker. The hacker said that Twitter expected its first revenue to be a modest $400,000 in the third quarter of this year, followed by a more robust $4 million in Q4 and $140 million by the end of next year. TechCrunch said the information is dated February 2009.

By the end of 2013, Twitter hoped to have signed up 1 billion users, post $1.54 billion in revenue, employ 5,200 people and make $111 million in net earnings, the document said.

This only goes to show that most social networking sites still lack a robust security system. "Most social security sites do not use SSL, thereby the session ID of their user, which is included in the URL, sits on a proxy. Hackers use this effectively to gain entry. Also, password recovery features of employees private email account get compromised as in the case of Twitter," said T. R. Madan Mohan, managing partner at Browne and Mohan.

According to him, the Twitter data leak is a clear case of administration failure. Another area where most social networking sites are weak is in the area of password resetting. While they have some pretty basic password length and recovery features, resetting a password is not foolproof. Most commercial sites restrict only administrative reset feature and IP-address restrictions which may look draconian, but are effective principles.

It may be recalled here that Youtube used to suffer from cross-site scripting issues, where hackers used to inject unauthorized code into the site, making it look official. At times, it still suffers from video files that host Trojan and other viruses.

"Identity theft is vulnerability on social networking sites. It’s always important not to leave open complete profile and contact information. It is an area that needs user education," said Mohan.

This should especially ring true since social networking sites are getting corporatised and inviting CXOs to form communities. But only a handful of such businesses, notably Dell and Microsoft, have official representation. Others have blogs and interactive forums on their Internet and Intranet.

Large corporate choose to have representation on social networking sites from marketing communication and messaging perspectives. Use of social networking for information dissemination is what these actors provide; no firm is yet at a stage which influences consumer purchase decisions.

Social networking sites in India have been primarily used for informal social interactions (Yuvacafe, Fropper, Allindians.com etc) or for career perspective (Linkedin, Facebook). Currently, most of these are used to enhance marketing networks, background verification, and career advancements. Its use is more informal by the executives and as a medium social networking site, they are yet to be effectively integrated by corporate. Going forward, companies surely would attempt to use this more key user group management, creation/identification of decision influencers, recruitment, etc.

But it will certainly need some more hand-holding, and a lot more convincing that these are indeed safe for CXOs. Meanwhile, the Twitter leak has also put a question mark on alleged acquisition rumours by Google.

Related Links

Web Threat Traffic Soars
Microsoft Warns IE Users of Security Threat
Amity Business School Secures Network
McAfee Identifies the Most Dangerous Web Searches