Recently in the UK, the women’s national football team manager, Phil Neville, called for all social media accounts to be verified and accountable as the result of a spate of racist postings, and asked for a boycott of social media until the situation is addressed. He said that one of his fellow footballers had demanded that people are verified and give passport details and addresses to be held accountable for their postings. As he said, “You can be an egg on Twitter and no one knows who you are.”
Now it’s probably a sorry state of affairs if the footballer is handing out cybersecurity advice to the world of technology practitioners but that’s in fact exactly what has happened. Needless to say, Twitter responded with a typically uncommitted answer where they “will continue to liaise closely with our partners to identify meaningful solutions to this unacceptable behavior.”
So, to be clear, they won’t verify peoples’ identities as that will not suit their business model. Think how many users they will lose if everyone has to upload passport details before tweeting.
This is not a one-off problem. Depending on which report you want to look at, the problem of fake accounts and duplicate accounts is rife. Facebook deleted more than 2 billion fake accounts in the first quarter of the year, between 9 and 15% of active Twitter account may be social bots and a Twitter audit estimates that only 40-60% of Twitter accounts represent real people. It’s even possible for people to fake the verified indicator on LinkedIn.
So, why is this a problem for information security practitioners?
Multiple reasons, really. Fake actors are spreading misinformation about your products, impersonating you and selling counterfeit products, phishing your staff and customers, and putting in links to malware in postings on your social media sites, among many exploits. And when it goes wrong, your organization loses business and gets bad PR. Further, there will be no chance of catching the perpetrator as you don’t know who they are since the social media platform did not have a know-your-customer process.
So, any review you carry out on the use of social media in your organization should be based on the knowledge that no one knows who anyone else is and your marketing people should have processes in place that takes this into account, along with a response plan for when something inevitably goes wrong.
I’ll be presenting on this topic and other social media exploits in my session, “Auditing Social Media and its Cyber Threats,” at EuroCACS/CSX 2019, to take place 16-18 October in Geneva, Switzerland.