Fake Accounts, Bots, and Security Culture
Accepting a bot’s friend request and going along with “chain letter” advice are terrible ideas
Fake accounts have always been a part of online existence for me since 2011 — and probably before then, too. I only really became aware of them about the time I stopped using Google Plus. They were starting to send me a ridiculous number of friend requests. That in itself wasn’t annoying, other than it buried real friend requests.
Is there any harm in accepting fake accounts as friends? If they don’t post anything that can influence one’s thought, then they’re fairly benign yet still nefarious. If one’s social graph (the connections one has with people) is public knowledge and everything one posts is public, then befriending a bunch of bots doesn’t give them anything they couldn’t have picked up otherwise. The more nefarious situations are when people friend a bot which takes advantage of non-public information. If one has privacy settings which only shows posts to friends or friends of friends and only shows their friend list to friends, accepting the bot as a friend allows a malicious actor to peer into one’s social network and poke and prod in very interesting and subtle ways.
Accepting a friend request from a bot(or doing some of those online quizzes that give access to all one’s info) give an attacker the ability to get pictures of one’s friends and family. I’m sure we all have that one elderly family member which is always having to create a new account from forgetting their password. It’s a social phenomenon. People nowadays have had to get new accounts for several different reasons. The people behind the bots can see this and take advantage of it. This makes it even easier to peek into a social network and see what’s happening across several people’s networks. They can see who on one’s friend list is vulnerable to becoming a bot and who is more likely to accept a friend request from a bot.
People with open privacy settings make it easy to mine data on people and social networks. This allows advertisers or other parties to gather data on how well their campaigns are doing. It allows meme makers to see further into how far their memes travel. It lets the bot owners see all sorts of activities and reactions from the network. It lets them become expert manipulators.
I got a message from a friend which encouraged people to put a message out to all their friends reading:
I have NO plans to open a new account. Please DO NOT accept a 2nd friend request from ‘me’.
However, this is absurdly stupid. For one, how do you know the account which is saying this is indeed your dear friend and not a fake account run by a bot? Could this end up confusing people to follow the duplicate fake account which posted this phrasing and not the real account whose owner couldn’t be bothered? That seems quite harmful.
What if the original “chain letter” message came from a bot? What if they are actually measuring how far their influence extends? If people will spread around something as harmful, yet innocuous looking as “put phrase X on your profile”, what is the full extent of harmful behavior they can get people to do?
It is important to stress it does not take many people to accept a request from a bot. Only a few people need to be compromised (accept a bot friend request) in order for a lot of information to be gathered from the friends and friends of friends (and possibly further out, if their privacy settings are wide open). In the wake of what seems to be happening with social media and politics, we could use an introduction (or review) of some basic security culture principles.
Security Culture
Know your threat model
How can someone take advantage of you, a channel of communication, a friend of yours, or some other random thing to do something which could harm your or your friends? Could they be listening in or reading what you wrote and using that to manipulate people and social engineer their way to a goal? If so, how specifically? Will they read your email? Are they going to ask you to do a fun quiz which makes you sign in using Facebook and asks permission for all your info, email, photos, posts, and friends? Are they going to impersonate someone you know?
Know who you are talking to at all times
To do this, one needs one or more additional ways of communicating with another person for the express purpose of validating who that person is. If you get a friend request from someone, you should reach out to them over phone, email, or another social network in order to verify that they really did send you a friend request.
“But they have my friend’s picture!”
Yes, my picture is also plastered all over the internet for anyone to steal. Also, your friend did one of those quizzes and this bot has all of those photos from the last time you were drunk taking pictures with them in the photo booth at that hotel in Portland. They probably even have friends which look like your friends because they grabbed your friends list, too.
“Can’t I just use FB messenger to ask about their friend request?”
If you’re asking them on an original profile you have already been friends with, then sure. They’ll appreciate the heads up. Consider they could be locked out of their account and can’t reply: you should at least have their phone number, email, or a chance to talk to them in person in order to let them know what happened and ask if you should accept the request. Nothing beats going outside of the potentially compromised system to verify the truth on the ground.
“Do I really need another channel?”
Yes! Especially if you don’t have a challenge you established in person. A challenge is something as simple as you say “Orange” they say “Kumquat”. If they don’t know why you said “Orange”, you know something’s up. Like I said above, “Nothing beats going outside of the potentially compromised system to verify the truth on the ground.”
Use secure passwords
All my passwords are $3cuRe_P4$$. Have fun! Seriously though, your passwords need to be fairly secure and long and have a lot of randomness. You shouldn’t reuse passwords. You should use anything that’s easy to get you to say in public as a password or security question answer. If possible, make your answers to security questions random and use Last Pass to store it.
Use encryption when it’s needed
If you are communicating about something sensitive, Facebook is not the way to go — especially if you haven’t verified if that bot isn’t your anarchist leader (wait, wut?). Be sure you know who you’re talking to when you use encryption — especially over an app like Signal or Telegram. If you use PGP, then you’ll have verified the keys and hopefully signed their public key and they yours. If you don’t know what that is, just stick to Signal or Telegram — your life will have fewer headaches.
Be aware of the principle of least access
One can easily just say, “Everyone can access everything.” That’s the principal of most access — the exact opposite of what we’re aiming for. The principal of least access is like this: “Each person should only have access to what they should have access to, and no more access than that.” In terms of social media, it would be like creating lists of friends in Facebook and only sharing things to those groups. It definitely means, that some people would get let out of the conversation if they’re not on the right list. However, given how careless people have been with sharing fake and biased news — moderating the flow of information a little bit might not be a bad thing.
Summary
There are numerous reasons why friending a bot is a horrifically bad idea. Accepting friend requests from people who have common friends when one hasn’t met the person is bad form. If a friend sends another friend request, check in with them through another channel before accepting. Help fight the zombies and report accounts that seem really sparse, which have lots of random photos, which don’t contain much information, and which don’t have many posts.
