Infosec Home at The University of West Georgia

Log On

Sharing Information online

 Sharing information is a fact of life. We share information in social and business settings. Some of this information is considered “public” in nature. Our name, street address, and phone numbers are usually considered to be public information. Other information is considered “private” or confidential. Social security numbers, passwords, sexual orientation, and medical conditions are usually considered to be private in nature.

Public information is freely available at courthouses, through phone directories and even via online searches. Today many of us share all kinds of information that we consider to be public. We do this through personal web sites and on social and/or career networking sites such as Facebook and LinkedIn. We discuss our families, children, pets, hobbies, etc.

Identity theft and identity fraud have become common place today. This type of theft and fraud is where someone obtains and uses another person's personal information in some way that involves fraud or deception.  One way in which unscrupulous people take advantage of shared information and carry out fraud and theft is through information aggregation and inference. This is where someone combines individual pieces of information that they have access to in order to figure out information that they don’t have access to.

Consider the following example:  A student uses an online registration system to register for classes. The student accesses the registration system using a login and password. Many such systems allow for the fact that we forget our passwords and provide the option to reset the password to a “default” setting based on something the student knows such as their mother’s maiden name or the name of a favorite pet. Since we normally don’t think of our mother’s maiden name or our pet’s name as being private we share this information with others. However, in this situation if someone knows the student’s login but doesn’t know their password they may be able to take advantage the registration system’s ability to reset the student’s password to a default password based on something the student knows. If the student constantly talks about their favorite pet Fluffy and mention’s the pets name on Facebook we may be able to guess that the something the student knows is Fluffy. In this case we have aggregated or combined some seemingly innocuous information and then been able to infer that “Fluffy” is the key to resetting to the default password.

This example may seem farfetched. However, our example is based on several real cases at UWG. Students develop intimate friendships with one another and share student ID numbers, login information, and even social security numbers. Sometimes these friendships end on a sour note and one of the parties is not as mature about ending the relationship as they should be. In one case at UWG a student had shared their Banweb login with a friend. At some point the friendship ended badly and the former friend accessed the Banweb account. They unscrupulous former friend did not know the account password. However, they were familiar enough with their former friend to either guess or remember the something the student knows word or phrase and have the Banner account reset to the default password. This allowed the unscrupulous former friend to drop the student’s classes.

Be careful of the information that you share with others. Also, if a service offers a password hint or a something you know word or phrase don’t use thing that are easy to guess.