Massively Insecure Identity

Towards the end of my workshop on Identity Management at the Massive Technology Show last week, one audience member noted that on social media sites like Facebook, we are starting to see more granular capabilities to protect privacy. But these security measures may just be window dressing, in my opinion.

This young man mentioned the new ability on Facebook to share photos or information only with a private group to which you and people you trust invite people. His point was that social networking sites in general seem to be going this way, so a significant improvement in privacy capabilities is possible. It may even be quick and easy for these sites to implement, and in this way, users will be protected.

I wish that his conclusion carried more weight. I pointed out the following scenario to illustrate how this kind of security precaution can be beaten using absolutely nothing new:

1. You are invited to a private Facebook group by a friend you trust.
2. You submit information to this group with the knowledge that only you and your trusted friend can see it.
3. While browsing the Internet at work, your friend clicks a link that allows a keylogger and other malware to infect his computer.
4. Your friend logs into Facebook. The keylogger records his username and password. Now the hackers have access.
5. Your information is no longer private.

As I concluded in my presentation, the way we distinguish between corporate security and security on social networking sites has become pretty much irrelevant. If your identity in one area is compromised, it is compromised in the other area as well.

Sorry to scare you. But it's important to be clear that when social networking sites add privacy settings, that protection doesn't really amount to much if your network (or your friend's network) gets compromised. Give the security of your computer the same weight as the security of your PIN number for your bank account.