Ever suspected your friends may be snooping on your Facebook profile behind your back? It turns out they are, a new study shows.
New research from the University of British Columbia in Canada says 24 percent or more than one in five subjects had accessed someone elses Facebook account without permission, and 21 percent have been victims (that knew about the unauthorized access).
The security community calls this kind of profile snooping a “social insider attack.” This means the attacker knows the victim and gains access to the account by physically accessing the victims device, whether it’s a phone, tablet, laptop or something else.
The study surveyed 1,308 adult Facebook users in the United States. It looked at a less-talked-about phenomenon unauthorized access of accounts by people you know. The study explored five potential motivators: fun, curiosity, jealousy, animosity and utility.
‘Social insider attacks’ may be motivated by curiosity or even jealousy.
“We initially wanted to build technical solutions to mitigate these attacks, but we soon discovered that we really did not understand them well,” Ivan Beschastnikh, one of the paper’s author’s told Mashable. “So we decided that instead we should carry out an empirical study to understand the attacks better before attempting to prevent them.”
While not much work has been done studying these kinds of attacks, they are certainly not new. You may have seen outrageous posts on your newsfeed only to have the poster later clarify that their account was facejacked, fraped or hacked by a friend. While such unauthorized access is often harmless, there can be much darker motives behind social insider attacks.
One common scenario is that of romantic partners, where the attack may be motivated by curiosity or even jealousy. The perpetrator usually targets private messages of the victim, and the intrusions often go undiscovered.
“One recommendation that we make is that Facebook could provide better support for monitoring passive account activity.” Beschastnikh said. “A log that cannot be altered and that records passive actions [such as viewing already-read messages] as well as active actions in the account would (1) allow victims to identify these attacks, and (2) deter potential perpetrators.”
Another possible solution, used by several apps that store sensitive information, is for the app to have its own passcode, which the user must input every time they open the app. This ensures that even if the device is left unlocked where third parties could access it, the app’s data remains locked. Notably, Facebook, which recently updated its privacy tools, doesn’t offer this tool.
Similarly, with fingerprint detection becoming ubiquitous on smartphones, users can set up a fingerprint-based barrier to entry on some apps. Such precautions generally don’t translate to laptops, however, so there isn’t a universal method to mitigate risks. Getting in the habit of locking your phone and laptop when you’re not using them is still the best precaution.
The findings of the study can extend to other apps like Twitter, messaging apps and email. For those services, current security mechanisms aren’t very effective against social insider attacks. While this study is relatively small in scale, anyone who has let someone borrow their smartphone or left their laptop unattended at work is aware that social insider attacks are a real risk, and app makers will need to come up with new ways of dealing with them.