professionals. Together, they posed as Marcus Ranum, a consultant renowned for building the first e-mail server for whitehouse.gov and who now serves as chief of security for Tenable Network Security. Moyer and Hamiel used Ranum's name, résumé, and photo (all of which they found on the Web without any help). Moyer and Hamiel then set about seeking to connect with chief security officers and chief information officers of large companies, an editor-in-chief of a security trade magazine, defense industry professionals, and other people whom Ranum might know in real life.

Despite their online security expertise, most accepted the request. And once the fake Ranum had several authentic connections within the industry, he looked even more credible to the next target. "I would have expected that the security community would have been a little more paranoid," Ranum says. The experiment proved to Moyer and Hamiel what they had suspected: Users of social networking sites expect little more proof of a friend's identity than a name, a photo, and a few bits of knowledge about their real life. "What if I wanted to get inside IBM (IBM)?" asks Moyer. "What if I had wanted to get inside the [U.S. Defense Dept.]? Who else might Marcus know?"

Enforcement Hurdles
There's no easy solution for the social networking sites themselves. Each major networking site contains terms of service that prohibit posing as another user. "The rules of impersonation are pretty much the same on the Internet as off the Internet," says Gene Landy, principal with Boston-based law firm Ruberto, Israel Weiner. In both places the severity of punishment hinges on how much harm is intended. Pretending to be an ex-girlfriend and posting embarrassing photos on Facebook, for example, would likely constitute a civil offense, Landy says. But almost any serious attempt at fraudpretending to be someone else to obtain money or retrieve sensitive informationwould likely be tried as a criminal offense, he explains.

Enforcing the rules online can be tricky for social networks that don't want to put off would-be users with a rigorous authentication process. Facebook maintains a long list of blacklisted names that bars users from registering with fictitious names such as Donald Duck and Evil Spock, two of the most popular false IDs, says Facebook's head of security, Max Kelly. The site also prohibits suspicious activity such as spamming users with hundreds of messages. But mainly it falls to users to be vigilant. "If you use Facebook the way we intend people to use Facebook, which is to model your real-world interactions, people won't be able to impersonate someone else," Kelly says. Still, he adds, "I'm not ruling out that we may look at other ways to verify people's identities in the future."

Security expert Moyer admits it would be pretty difficult for LinkedIn to have measures in place to thwart his experiment, but says it and other sites should take some steps to authenticate users. For one, he recommends that new user profiles get stamped with some kind of "born-on date" that displays when the account was created. That could impede scammers who cycle through many new accounts every day. Also, sites should develop some kind of peer warning system that lets users flag others' suspicious activity.

Still, the best prevention method remains educating Web users to be more cautious of people in their networks. "When I get a friend request, I tend to ask people what T-shirt [they] wore the last time we had dinner," Moyer says.

A simpler way to check identity is to spend some time on the person's profile, see how long they've been active, how familiar their friends appear to be, and whether the messages and multimedia they post reflect their personality.

When all else fails, it's probably best to be leery of requests for money or bank account informationespecially when they emanate from deposed dictators.

Similar posts: erotic mind control