Confusion 2.0: Keep a Tight Grip on Personal Data

In a report, Fortinet researchers warn that respected sites are lowering users' security defenses.

Researchers at Fortinet call it Confusion 2.0—the unlearning of the golden rule of the Web: "Never give out any log-in credentials to an online service, regardless of the reason for the request."

But in their latest report on malware trends, they warned that some of the golden rules shine has rubbed off as users are being lulled into violating the axiom by popular sites such as

During the registration process, the Web site prompts the registrant to give their e-mail address and e-mail password. Steve Fossen, manager of threat research at Fortinet, said there are a couple of sites doing this, usually asking for IM or e-mail log-in/passwords so the sites can look up and send invitations to contacts. On, providing e-mail password information is optional, and the Web site states that will not e-mail anyone without permission.

Still, Fossen said seeking such information lowers users defenses.

"It gives users a sense that it is safe to give out this information and that there is no harm in allowing sites to use it," he said. "It then puts it on the user to understand and know which are trustworthy sites and which ones are out to steal their personal information. People normally wouldnt allow others this much access to their personal information, except when they are online.

"I was stunned when I was prompted for that kind of information, which I refused to relinquish," he added. "I was as disappointed to know my friends had entered their information, which was how I got invited."

After finding the "friends" in your mail contacts that are already registered on Facebook, another window pops up asking Facebook users which of their contacts they would like to invite to join.

"In a nutshell, the traffic ramping strategy employed by Facebook (and others) is just one click away from service-luring scam sites," researchers at Fortinets FortiGuard Center wrote in the August report. "There is of course one major difference: Contrary to the latter, they do provide a service."

Sophos released a study on using securely in August and found 41 percent of the 200 Facebook users researchers contacted divulged personal information such as e-mail addresses, date of birth and phone numbers to a complete stranger—in this case, Sophos officials who set up a fabricated profile.

"The risk associated with Facebook is the extent to which your personal information may be shared with others whom you friend or who friend you," said Ron OBrien, senior security analyst with Sophos. "The information collected by Facebook at registration is significantly more information than you would typically provide to anyone. It may include home phone, address, instant message address, mobile phone, birth date, place of employment and other information that I and others deem personal."


Click here to read about a massive personal data breach at

If a user agrees that this information should not be disclosed, the user can reset the privacy settings on his or her Facebook account, he added.

"Still, the default allows all of this information to be viewed by friends," OBrien said. "If you are asking whether I think we provide too much information to anyone who asks, the answer is yes."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.