The Red Tape Chronicles over at MSNBC.com have posted an interesting story titled Facebook ID theft targets ‘friends’ that highlights an attack on Bryan Rutberg. The jist of the article revolves around Mr. Rutberg’s Facebook ID being hacked and then exploited for money. In typical playbook manner the hackers managed to crack his password, post a few fake messages to his profile stating an emergency and seeking financial help while changing the account’s password. They even managed to take an additional step and “de-friend” his wife so he would be unable to post a message stating his account had been hacked. The hackers managed to extract $1,200 out of their scam. This Nigerian attack isn’t that different from any other Nigerian attack carried out on any other format (MySpace, LinkedIn, etc.).

Mr. Rutberg, being an employee at Microsoft, should have taken a few security best-practices into mind. Before signing up for any service offered on the Internet one should recognize the risks involved. This is especially true for websites like Facebook where every facet of one’s life is involved. I know it’s tedious and annoying and time-consuming but read the privacy policies, the terms of service, and even the FAQ. Reading these documents in advance will shine light on what the service will and will not provide. I often find the FAQ to be the summarized version of many these documents if one is provided. It wouldn’t hurt to do a little research online about these services as well. I know it is often tempting to rush into something new because it’s trendy and everyone in your life is doing it but let me remind you that this is the same psychological principle used in Ponzi schemes where even the biggest “stars” on the planet lose their money.

The rest of this article I’d like to dedicate to Facebook. Facebook is a free social networking service that allows millions of people worldwide to connect with one another. This is also the same platform that hackers dream of. All critical and personally identifiable information is available almost instantly once an account has been jeopardized. How do hackers (crackers technically) hack a Facebook account? They use password crackers. Browse over to https://login.facebook.com/login.php. All you need is the target’s email account which is easily obtained with a few phone calls at most. You enter the email address and begin the arduous process of guessing the right password. If you have local access to the target’s system it isn’t hard to browse their cookies, especially the “login_x” cookie provided by Facebook. It should contain something like this:

a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A20%3A%22john%40doe.com%22%3Bs%3A19
%3A%22remember_me_default%22%3Bb%3A0%3B%7D

As you can see amongst the hex, the email address the target uses to login into Facebook with is john@doe.com.

This process can be automated with a program by attempting to brute force the correct password but is much simpler with more knowledge about the target such as their full name, names of their family members, pet names, favorite sports teams, favorite musical groups and movies, etc. Facebook’s password policy is reminiscent of password policies of the late 90′s. The password must be at a minimum of 6 characters. No special mix of characters such as numbers, special characters, or a combination of the sort is required. Facebook does provide for case-sensitive passwords but this isn’t usually an issue if the attacker has strong knowledge of the target. The attacker will be able to make an educated guess as to which characters should be upper case and which characters should be lower case in any given password. People aren’t likely to capitalize the a in “packers”; they’re more likely to capitalize the ‘P’ and ‘C’ characters.

While we’re on the topic of Facebook passwords, why is there no requirement to change this password every 90 days at the minimum? I understand that changing passwords every so often is an inconvenience but it does provide a more robust password system. Facebook should also require a combination of letters, numbers, and special characters and a minimum password length of 8 characters. They should also require the answer to your security question in addition to your old password in order to change your password. I realize many users will find this extra step an inconvenience and mutter a few impolite words under their breath but if an attacker has your password and wishes to change it to something else, this extra question may be your saving grace. As their password policy stands, I could spend the next year trying to crack a target’s password without having to worry about that password changing. This is unacceptable.

The amount of personally identifiable information available on Facebook is astounding at times. The information can be so useful that Federal agencies like CIA are able to recruit people. Think for a moment what information may exist one your own profile: your name, your friends’ names, images of you and your friends, your phone number, your alma mater, your past and current employers, your significant other, your address, your email address (harvesters!), your favorite books, your favorite music, your favorite movies, your favorite quotes, books you want/may be/are currently reading, Web links you find interesting, etc. This is only the information YOU provide to Facebook. Their own terms of service state “Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (e.g., photo tags) in order to provide you with more useful information and a more personalized experience.”

If you have a Facebook account take a few minutes to browse your friends or your friends’ friends and read all of the information they provide. Could you learn enough information about someone to pretend you’re them on the phone? Many people provide this information freely without giving it a second thought. Why is this? Most believe that this information is to be kept private or at least kept amongst their friends (or whoever they’ve allowed the information to be released to within their settings). If I were stealing identities, Facebook is where I would start. To build a network of possible targets takes the ability to befriend one person on the social networking site. As the phrase goes, “six degrees of separation” easily leads to a large network as the more people you send friend requests to believe you know another one of their friends… and who doesn’t want more friends? A rule of thumb, if you don’t know the person, do not accept their friend request. If one of your friends vouches for this person, then think about it; otherwise, ignore it.

One critical piece of information I would like to highlight that Facebook is capable of collecting from you is your credit card information. This option is available in your settings and when clicked, merely brings up a form to enter your information. Nowhere does it offer a reason why this option may exist. I imagine it is related to their gifts option or business solutions but I find it extremely suspicious that a social networking site that is free to everyone worldwide would have the ability to store my credit card information. Looking at the SSL cert for credit card form webpage, the owner information states “This web site does not supply identity information.” and is verified by Equifax Secure Global eBusiness CA-1. At least it’s 1024-bit. I am unwilling to provide credit card information to Facebook so I am not able to further elaborate on this issue but due to its financial and personal importance the issue must be raised.

Lastly, Facebook users will find it difficult to directly contact Facebook. As Mr. Rutberg’s case illustrates, Facebook’s support and customer service department is non-existent. I am interested in learning their prioritizing system when it comes to helping their customer base. Do they use an internal code system that differentiates your average user problem such as forgotten passwords and real-time emergencies? Facebook provides no phone support for those of you who do not possess a Facebook account; your only option is to contact them via their website.

For more information regarding criticism of Facebook, browse over to the Wikipedia article Criticism of Facebook.