Social Engineering Social Networking Services: A LinkedIn Example

by Nitesh Dhanjani

The term Identity Theft is usually assumed to be related to a malicious entity abusing someone's credit information to commit financial fraud. This continues to be a big problem, but I'd like to extend the problem of identity theft in the social-networking aspects of so-called Web 2.0 applications. I feel this is an important topic of discussion because, unlike technical vulnerabilities that can be remediated with a software patch, the problem at hand is a design issue that poses significant risks to society's ability to securely leverage the usefulness of social networking.


2007-08-28 12:16:09
1. how do we solve the identification problem in real-life social networks (both formally & informally)?
2. are those solutions applicable to the virtual, on-line world?

two ways, one formal & one informal, that i can immediately think of are central authority & web-of-trust.

central authority: you go to an age-restricted club and the bouncer asks to see your ID. why? because he trusts the state government to verify what you look like and how old you are. is it a perfect system? no, as proven by 911 and the driver license pranks on youtube, but it works well enough.

web-of-trust: you are meeting up with friends at a bar and a friend walks in with someone. you don't recognize the person, but you know your friend is very selective about who she socializes with, so you have no hesitancy greeting her and her guest. this compared to another friend who later walks in with someone, but she shows no discretion in picking up guys (like stray dogs), so you keep your distance (socially & physically).

or maybe you meet someone randomly and in talking learn you have a mutual acquaintance. the next time you speak to the mutual acquaintance you ask them about the person you met. (this is like paypal's verified/unverified user where you have limited privileges as an unverified user but can become verified at any time.)

we don't have government issued email addresses (except for government employees), but is there something similar (besides certificate authorities), though maybe not "official"?

for web of trust we have PGP, but what about applying those concepts to the web. maybe something as simple as a user's OpenID provider publishing an xml document listing OpenIDs and associated names that the user has personally verified and trusts. maybe have an aspect like OpenID where you are queried before you release your trusted list and you can choose to release a subset (you don't want your friend bob to know you are still friends with his ex-wife).

MySpace's repudiation system would work if there was a strong enough incentive, but when the goal is to have the most friends, who cares about validating usernames (everything to gain & nothing to lose).

2007-09-05 12:59:08
i believe the issue at hand is whether internet users want to be identified at all. to answer unknowns questions:

1. there is no need or desire to solve the "problem". i'm fangman, that's all you need to know. perhaps we'll meet again someday, perhaps not. and that's OK by me, and likely by you.
2. understanding #1, this question is moot.

in certain cases, internet users need to be identified and it is handled in an appropriate manner, creating an identity for that person (e.g. banks, insurance, travel). in other cases, they do not (e.g. the core of the person - everything personal actually interesting about them- religious affiliation, hobbies, friends, location, etc. - AKA social networking sites). i’d argue that the success of online social networks has thrived because of the anonymity (the same can be said for the internet in general), it allows people to live out their fantasies in a semi-real environment. besides, those using such sites most often don’t really *know* people they’re linked with or have listed as their friends. if you want proof of this, look up Jenna Jameson’s friends on MySpace, then become one yourself.

that said, i understand nitesh's argument. sure, there are people that could social engineer others into "linking in" to a fake profile, and other shenanigans, however most humans operate ethically and honestly, and wouldn't even make this attempt, as for most there is not much to gain in doing so. you’d have to be a really bitter and vindictive person to go creating negative online persona’s of a person. seek counseling if that is you.

on the flip side, much is to be gained by someone creating a fake “positive” identity of themselves on line, so when that job recruiter looks them up they shine. in my experience, most people are narcissistic, or at least believe is ethical or “less wrong” to create a positive persona of themselves. i offer up any autobiography as proof of this, as well as most people’s resumes.

finally, it's easy for us to forget that there are many, many people in the world who do not use the internet (hard to believe, huh?). do they have identities, or are they meaningless?

btw- i've never seen Nitesh in a suit and tie, so I'm not even sure he posted this.

2007-09-05 13:09:23
>btw- i've never seen Nitesh in a suit and tie, so I'm not even sure he posted this.

Hey thanks for the comment(s) Nick! :-D

2007-09-13 13:48:45
Hey Nitesh,

thanks for this interesting article.
I'd like to add the problem with sophisticated identity theft. If you are a bad guy, a phisher if you want, and you need new victims ... where do you search first? Social Networking Sites ...
Because you get everything you need there for free: emails, social relationships, addresses etc ...

The problem what I see in this case: With social relationships you can persuade a potential victim much more to click on your malicious link ...

"Hey Nitesh,
its me, Denver, what you think about this new program ... John already checked it and said it is nice! Have Fun!


You know what I wanted to say?