- Some users have posted their phone numbers, leaving them vulnerable to SMS scams.
- Always keep privacy settings to 'friends only' if you don't want to broadcast what you post to the world.
Wasil Dhingra doesn't set his Facebook settings to 'private' or 'friends only.' So, it's not hard to find his phone number.
A quick search also revealed his address. But the phone number is the prize, because now it is a simple matter to set up a premium service or a texting service scam. That could get expensive for Dhingra.
Discovery News reached out to Dhingra, a postgraduate student at the Nottingham business school in the U.K., as well as a number of other people, whose profiles and habits appeared on the site called weknowwhatyouredoing.com. Dhingra, like many others out there, was not aware his profile was so public. He added that he's been on Facebook long enough that he can't even remember when he set the page up or looked at his settings. He was planning on setting his page to private.
The site weknowwhatyouredoing.com is not unlike others such as pleaserobme.com, which track Facebook users using information that is publicly available. weknowwhatyouredoing.com does a simple text search in the Facebook postings which can also filter out people and look for specific keywords such as hung over" or "new phone number."
Some people also, of course, post their phone numbers. And that is where scammers could step in and rob you of your own money by setting you up with premium services since all that is needed to set up an account for many of those services and text message scams is your number.
While it's important to manage one's privacy settings, part of the problem is the way Facebook is designed. The default setting for an account is to have everything be public.
"Facebook defaults with all the portholes open on the Titanic," said Graham Cluley, senior technology consultant at Sophos Labs, a security firm. The API even allows for data mining when the user isn't logged in.
The scam is pretty simple: with a mobile phone number a scammer can send a text message, which if replied to signs the user up for a premium service -- one that might cost lots of money. Sometimes you don't even need to reply.
Weknowwhatyouredoing.com was set up by Callum Haywood, a young programmer in England. He used the Facebook application program interface, which is publicly available. Lots of people, he noted, forget to change settings or just don't bother. So everything they post is on the open Internet, available for Google searches. The only reason he used the API was that it was easier. (He redacts the phone numbers that appear on the site, but it isn't hard to reconstruct them with a Google search).
His site has four categories: "Who wants to get fired," "Who's hungover," "Who's doing drugs" and "Who's got a new phone number." The last one shows that people often post their numbers when they change them or want people to know it.
The site is not unlike pleaserobme.com, which also pulls public information from Twitter, FourSquare and Google Buzz. In that case it was telling the world when someone isn't home
Managing privacy settings is also complicated by the fact that Facebook has a history of adding functionality without telling users that it might change their privacy settings, since the default with new functionality is often 'share everything.'
Rohit Sethi, vice president of development at SD Elements, which helps businesses design secure apps, said the onus is really on individual users. But he added that the privacy settings can change and a good hacker will use information exposed on Facebook to answer lost password questions ("what is your mother's maiden name?" for instance). The other issue is that privacy settings can change over time, putting the user in the position of having to manage it periodically. Sethi said Facebook could put limits on the data the API can access, but that wouldn't affect a site such as Haywood's much.
It's also worth saying that changing privacy settings isn't a security fix, said Samuel Bucholtz, co-founder of Casaba, a computer security consulting firm. "A security risk would require an attacker getting access to data they should not have access to. Not data that is mislabeled by the data owner," he said.
Facebook makes the name, profile picture, network, gender, username and user ID public. Everything else is adjustable.
A Facebook spokesperson referred questions about what remains public to the company's data use policy. Generally, the site leaves some information public because that is what makes the search feature work.
Facebook also doesn't have much incentive to change the defaults, since the data is so valuable to Facebook and its advertisers – after all, that data is what gives Facebook its billion-dollar valuation.