Monday, January 19, 2009

Never take candy from strangers

Yesterday, my darling wife told me that she got a weird SMS about 9.99$ and she's not sure what it is. Turned out it was from some IQ-Test she took online on FaceBook. When she completed the test, she was asked for her phone, to which her score was sent, along with the message that she just subscribed to a 9.99$ a month service. Clearly, this is a scam, but my sweetheart never thought that something from such a reputable source like FaceBook could be harmful.

"This is exactly how the 1st nasty Viruses/worms started to spread", I told her. A worm would harvest his victims address book, and send itself to all of his recipients. The guy's poor friends and family members would think that this, coming from a friend or family member, must be legit, but of course, it wasn't. Later on, some worms got even cleverer, and spoofed the source address to be someone else from the list, so that the victims could not know who of their close-ones is really the source of the infection.

Luckily, some people have learned to beware of wolves in sheep's clothing, and others are protected by more secure software that wouldn't let them open attachments, but the success of that "service" and others like it shows that apparently, many people still fall for that old trick. Well, if you, or your close ones think that since FaceBook is a legitimate site, then everything on it is too, think again. Pretty much anybody can upload data to FaceBook or write an app for it, and although the site has a lot of security features, it's far from secure. This specific application gives you an IQ test comprised of 10 questions (I won't waste your time with explaining why such a test is closer to guessing your IQ that actually measuring it) and asks for your phone number. To that phone, it sends a confirmation code that you need to punch in to the website, which then sends you an SMS with your so-called IQ. By entering the code, you are actually agreeing to be subscribed to a service that charges 10$ a month. Although this is written both on the website and on the SMS message, some people might miss that, or misunderstand it. Many wouldn't notice another 10$ charge on their cell service bill, and some people are making millions on those people's back.

This type of story shows why information security is more about security than information. Although this is propagated by computers, it could just as easily be done via just the phone, through an interactive TV channel, and many others. Even if you don't like computers, or maybe ESPECIALLY if you don't like computers, this poses a real risk. Not only can you be billed, you can never know for sure where your info will end up in. Maybe tomorrow you'll be flooded with 20 SMSs a day, advertizing the current Viagra or Rolex, or maybe be part of an identity theft operation. The most important lesson here is this: FaceBook is NOT your friend, and neither are MySpace or any other web service. Always assume the worst about an information source, even if you've used it for years and it was great otherwise. The bad guys, or "evil doers" as W likes to call them, are all around, and they will keep on finding new ways to separate us and our money. Just make sure it's not you, and I might also suggest educating your friends and loved ones too.

No comments: