Facebook Users Expose Passwords Online

NEW YORK, October 11, 2011 -

CPP calls on people to separate personal information from online accounts

Social media users are increasing their chances of identify fraud, by providing clues to their online passwords.

A study from security expert, Jason Hart, commissioned by life assistance company CPPGroup Plc (CPP) has revealed that one third (32%) of Facebook profiles contain at least two pieces of personal information such as their mother’s maiden name, date of birth, hobbies or children’s names. This information is often also used as a password or as an answer to a security question when users look to reset their online account log-in details.

In the study, details including the name of the user’s first school (64%), employer (46%), dates of birth (25%), children’s names (25%) and favourite football team (17%) were found to be visible on many people’s Facebook profiles.

As the most active social media users, those aged 18 to 24 with a Facebook account are the most likely to publicise their personal information - and often to complete strangers. This age group has on average more than 250 friends but 81%^[1] say they do not trust all of their Facebook ‘friends’. Half (50%) have accepted a friend request from a total stranger and 9% would accept an invitation from someone they did not know if they were good looking or popular.

But it’s not just the 18 to 24 year olds who are making themselves vulnerable - users of all ages are putting themselves at risk. One third (33%) of all those with a Facebook account admit to accepting an invitation from people they had never met before, with 38%^[2] confessing they don’t know everyone they are friends with on the site.

Over half (52%) of the Facebook account holders questioned had received friendship requests from strangers. And despite recent media controversy around privacy and security on the site, one in twenty (6%) users allow anyone and everyone to see their entire profile.  

Danny Harrison, CPP’s Identity fraud specialist is calling on individuals to not use personal information for online passwords or security questions.

“It isn’t a good idea to use personal information for passwords online. Sharing is the whole point of Facebook and other social media sites, so users are naturally going to promote their personal information online. The problem is this information could be used by fraudsters to reset passwords and access people’s online accounts. To compound the problem, there are tools available online that can capture keywords from a website, including a Facebook profile, and others which will trial variations of the identified keywords until a password match is found.

For this reason, we are advising people to not use personal information as a means to verify their online identity and facilitate access to their online accounts.”

Personal information most commonly used as passwords^[3]:

1. Interests
2. Hobby
3. Favourite football team
4. Favourite football player
5. Children’s names
6. First school
7. Pet’s name
8. Dates of Birth
9. The user’s name
10. Maiden name

Examples of how personal details visible on Facebook can be used by hackers:

    Information
    Type                        Potential Impact                Risk Factor

                                                             High - if used as
                                                             the answer to
                    First school is often used as a security web-based
                    question on web- based applications and  security
    First School    social networks                          questions

                    An attacker can use this information to  Medium to High -
                    conduct a social engineering attack[4]   risk to the user
    Employer        to target the user's employer            and employer

                                                             High - as DOB is
                    People that publicly display their date  used by most
    Dates of        of birth (DOB) are open to different     banks as one form
    Interest        forms of identity threat                 of identification

                                                             Medium to High -
                    This allows the user to become a         based on if the
                    potential target to password reset       user is using a
                    attacks and is a potential way to start  web based email
    Email Address   spear phishing attacks                   address

                                                             High - maiden
                    People that publicly display their       name is used by
                    maiden name also leave family members    most banks as one
                    open to different forms of identity      form of
    Maiden Name     threat                                   identification

CPP’s top tips on protecting your personal data on social networking sites:

• Set a unique password for every website: Always create a unique password for each website you use
• Personal information: Ensure that you are not posting any personal information on Facebook  that can be used against  you,  for example date of birth,  mother’s maiden name or your email address
• Enforce two-factor authentications:  A number of web based applications and social networking sites now provide users with the ability remove the need for static passwords and allow them to enable two-factor authentication - removing the risks of your password being compromised
• Privacy settings on your social network profiles: Review the privacy settings on your social networks to ensure they meet your expectations. Social networks in general initially set privacy settings to defaults that allow anyone to view your information
• Don’t use personal information to verify your online identity: If possible utilise other information or codes to construct a password, and consider using false information when asked to create a security question and answer

Research Methodology

ICM interviewed a random sample of 2030 adults aged 18+ online between 9-11 September 2011, of whom 1,281 had a Facebook account.  Surveys were conducted across the country and the results have been weighted to the profile of all adults.  ICM is a member of the British Polling Council and abides by its rules.  Further information at www.icmresearch.co.uk

During September 2011 Jason Hart was commissioned by CPP to perform a review of 250 public Facebook profiles, to identify any information that could relate to an individual’s password and/or sensitive information that could allow a potential targeted attack against the individual. At no point during the research was any user’s data or online webmail accounts compromised.

Corporate Background Information

The CPPGroup Plc

The CPPGroup Plc (CPP) is an international marketing services business offering bespoke customer management solutions to multi-sector business partners designed to enhance their customer revenue, engagement and loyalty, whilst at the same time reducing cost to deliver improved profitability.  

This is underpinned by the delivery of a portfolio of complementary Life Assistance products, designed to help our mutual customers cope with the anxieties associated with the challenges and opportunities of everyday life.

Whether our customers have lost their wallets, been a victim of identity fraud or looking for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to enjoy life. Globally, our Life Assistance products and services are designed to simplify the complexities of everyday living whether these affect personal finances, home, travel, personal data or future plans. When it really matters, Life Assistance enables people to live life and worry less.

Established in 1980, CPP has 11 million customers and more than 200 business partners across Europe, North America and Asia and employs 2,300 employees who handle millions of sales and service conversations each year.

In 2010, Group revenue was £325.8 million, an increase of more than 12 per cent over the previous year.

In March 2010, CPP debuted on the London Stock Exchange (LSE).

What We Do:
CPP provides a range of assistance products and services that allow our business partners to forge closer relationships with their customers.

We have a solution for many eventualities, including:

• Insuring our customers’ mobile phones against loss, theft and damage
• Providing assistance to cancel and reorder customer’s payment cards should these be lost or stolen
• Providing assistance and protection if a customer’s keys are lost or stolen
• Providing advice, and assistance to help customers in the event their identity is fraudulently used
• Assisting customers with their travel needs be it an emergency (for example lost passport), or basic translation service
• Monitoring the credit status of our customers
• Provision of packaged services to business partners’ customers

CPP is an award winning organisation:

• Top 50 Call Centres for Customer Service, 2009, 2010 and 2011
• Finalist in the Plc Awards, New Company of the Year, 2011
• Winner in the European Contact Centre Awards, Large Team of the Year category, 2010
• Finalist in the European Contact Centre Awards, Best Centre for Customer Service, Large Contact Centre of the Year categories, 2010
• Finalist in the National Sales Awards, Contact Centre Sales Team of the Year category, 2010
• Finalist in the National Insurance Fraud Awards, Counter Fraud Initiative of the Year category, 2009
• Finalist in the European Contact Centre Awards, Large Team and Advisor of the Year categories, 2009
• Named in the Sunday Times 2008 PricewaterhouseCoopers Profit Track 100
• Finalists in the National Business Awards, 3i Growth Strategy category, 2008
• Finalist in the National Business Awards, Business of the Year category, 2007, 2009 and Highly Commended in 2008
• Named in the Sunday Times 2006, 2007, 2008 and 2009 HSBC Top Track 250 companies
• Regional winner of the National Training Awards, 2007
• Winner of the BITC Health, Work and Well-Being Award, 2007
• Highly Commended in the UK National Customer Service Awards, 2006
• Winner of the Tamworth Community Involvement Award, 2006. Finalist in 2008
• Highly Commended in The Press Best Link Between Business and Education, 2005 and 2006. Winner in 2007

For more information on CPP click on www.cppgroupplc.com

1. According to the ICM research, 19% of 18-24 year old Facebook users say they trust everyone they are friends with on Facebook. 100% - 19% = 81%

2. According to the ICM research, 62% of 18-24 year old Facebook users say they know everyone they are friends with on Facebook. 100%  - 62% = 38%

3. According to research and analysis by Jason Hart

4. Social engineering is a term used to describe accessing needed information (for example, a password) from a person rather than breaking into a system. Social engineering is similar to hacking in that it is used to gain unauthorised access to systems or information to commit fraud, network intrusion, industrial espionage, identify theft or a simple disruption. However, social engineering is generally much easier than technical intrusion (hacking), as it does not require the technical know-how or background to be completed successfully. Rather, it simply involves having personal information.

For more information, to trail the app, or to arrange a time for interview with CPP’s Danny Harrison please call Band & Brown Communications: Beth Milsom - +44(0)203-451-9428 / +44(0)7838-163-369; Bryony Partridge - +44(0)203-451-9406 / +44(0)7846-004-416; Elisse Ahmet - +44(0)203-451-9446 / +44(0)7926-341-557