Facebook Gifts could encourage users to expose more private information

Security experts outline potential security and privacy risks posed by Facebook's new social gifting service

Facebook Gifts, the new social gifting service launched by Facebook on Thursday, might encourage users to expose information like their home addresses, birth date, clothing or shoe size that could pose security and privacy risks, according to security experts.

Facebook used to have a Gift Shop application that allowed users to send virtual gifts in the form of images, but it was discontinued in August 2010. The revamped Facebook Gifts feature is the result of Facebook's May acquisition of mobile e-commerce app Karma and allows users to send physical gifts to their friends.

"Choose a gift, attach a card and send," Facebook said Thursday in an announcement on its website. "You can post your gift to your friend's timeline or send it privately. Your friend can then unwrap a preview of the gift and it will show up on their doorstep a few days later."

Facebook has partnered with many vendors in order to offer a large selection of gifts that includes stuffed animals, cupcakes, toys, coffee mugs, Starbucks gift cards and more. The company receives a percentage of every gift purchase.

Facebook Gifts will be rolled out gradually to users starting with those in the U.S, the company said. Users will have the option to send gifts from the birthday reminder panel on their news feeds or by clicking on a gift icon in a friend's timeline. The payment can be made before or after the intended recipient has accepted the gift.

Recipients will receive a notification when someone sends them a gift and can select the item's size, color or even swap it for another item of equal or lower price. They then have to input a delivery address or select from the ones already saved under their account.

The launch of the new Facebook Gifts service is good news for Facebook investors because it will provide the company with a new revenue stream and the feature might even prove popular with users in the long run. However, some security experts are concerned about its security and privacy implications.

"The amount of private data users are sharing on social networking sites already exceeds all security precautions," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email Friday. "Making it so much easier for the user to add a number of addresses they can receive parcels at (including probably work or school addresses) would make it even easier for real-life criminals to gather information about a potential victim."

"The new information that might be shared by users is particularly dangerous in the case of account compromise," the Bitdefender security researcher said. Home addresses combined with other information commonly shared by users on Facebook like vacation dates, pictures of houses or news about recent high-value purchases, could make it very easy for burglars to select potential victims and plan raids, he said.

According to a 2011 survey performed in the U.K., 4 out of 5 ex-burglars believe that thieves are targeting homes using information gathered from social media websites.

In addition, stolen home addresses can also be used to craft more believable email-based scams. For example, parcel delivery emails that try to trick users into clicking on malicious links or opening malicious attachments are a common occurrence. Including the target's home address in such a message would likely increase the attacker's chance of success.

"There is strong potential for this [feature] to spark malicious, spam e-mails, like 'You have just received a Facebook Gift, please click here to redeem'," said Adam Levin, chairman and founder of Identity Theft 911, a company based in Scottsdale, Arizona, that provides identity and data risk management services. "We see instances like this all the time and the link included usually opens up to a website exposing the user to malware and spearphishing," he said via email on Friday.

"Because of this feature, more users may be apt to reveal their birthdays on their profile," Levin said. "Birthdays are often used to verify a customer's identity, so it's very valuable information for identity thieves. Anytime you provide information to complete the mosaic of your life, you're putting yourself in harm's way."

People's gift preferences could reveal what kind of products they like or their clothing and shoe sizes. It's not clear if Facebook collects this information or uses it outside of the Facebook Gifts service. The company did not immediately return a request for comment.

"There is one question we need to ask ourselves: how would our data turn against ourselves in the event our account gets breached and the information lands in the wrong hands?" Botezatu said. "Are we ready to live in an ecosystem where social networks know our names, our relationship history, phone number, email address, shoe size and, on top of that, where we live with pinpoint precision?"

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place