Facebook and Phones and Phishing

Facebook’s goal is to connect people.  But some connections are better left unmade.  Like with that sketchy rando you’ve never met.  Or that weird girl from high school you haven’t talked to in seven years.  Or that hacker who wants to steal your data and corrupt your hard drive.

Facebook has been hammered again and again for disregarding user privacy.  But a recent Facebook policy has gone under the radar in exposing an important piece of personal information:  your cell phone number.  Unless Facebook mobile users opt out, the social networking site will upload your number and share it with every Friend you have on Facebook. (You can find the list by going to Account Settings -> Friends -> Contacts.)

While your initial reaction might be to view this as creepy (I don’t want that sketchy rando I’ve never met to have my phone number!) but ultimately unimportant, the true implications are actually quite dangerous.  With your cell phone number, any one of your thousands of Facebook Friends (or anyone who hacks into the account of any one of those thousands of Facebook Friends) can easily hack your phone.

It’s a simple trick of faking caller ID.  To get around the task of entering a PIN number to access your voicemails, major service providers allow you to skip the process if calling from your own phone; when the company sees your number calling itself, it assumes it’s you, and automatically unlocks your voicemail.

But if a hacker dials you from a phone they’ve mimicked to be read on caller ID as your own number, they’ll be granted free access as well.  And with websites offering this hackers’ tool under the label of Pranks, Spoofs, and Jokes, doing so is all too easy.

Perhaps you’re thinking, “Who cares?  I don’t leave sensitive information on my voicemail.  If a hacker wants to go to all that effort to hear my Gammy talk about her and Great Aunt Ruth’s trip to the Grand Canyon, let ‘em.  It won’t hurt me.”  You’d be wrong about that.  Hackers methods are becoming more complex, and that seemingly harmless information can be key to hijacking your hard drive.

We’re all familiar with the technique of phishing; sending a fake email that attempts to get the reader to download malware.  But while phishing involves using an obviously suspicious piece of bait (“I know you don’t know me, and I know this seems ridiculous, but you’ve just won ONE MILLION DOLLARS!!!”) with the hope of luring one out of millions of possible victims, hackers are increasingly turning to spear phishing, a precise strike on a single target.  So while you probably won’t open an attachment from that Nigerian prince in need, you may be less vigilant about a faux email that seems to be from your Gammy, asking you to download pictures that she and Great Aunt Ruth took during that recent trip to the Grand Canyon.

Although we are becoming more effective at protecting sensitive information from potential malicious sources, we continue to ignore one of the greatest threats to preserving privacy in our future: The private information that we are freely giving away.

Image by Suvi Korhorean.