Sophos tests Facebook - 44% willing to add strangers

Sophos created a fake Facebook profile, under the name 'Freddi Staur' ('ID Fraudster' with the letters rearranged), and randomly requested 200 members to be friends with 'Freddi.' Out of those 200, 87 accepted the friend request and 82 of those gave 'Freddi' access to "personal information" such as e-mail addresses, dates of birth, addresses and phone numbers, and school or work data. Presumably, the other five had restricted 'Freddi' to limited profile access, which many users select for bosses, parents, or people they don't know in real life.

What it all boils down to, ultimately, is who you consider a "friend" on Facebook. On the upside, more than half of those polled didn't even accept 'Freddi' as a friend--indeed, many Facebook members accept friend requests only from people they know in real life, a far cry from the MySpace friends lists that reach up into the four and five digits. But out of the 41 percent of those surveyed who divulged personal information to 'Freddi,' 72 percent provided at least one e-mail address, 84 percent gave their full date of birth, and 78 percent gave a current location (whether an address or just a city). More alarmingly, 23 percent provided a phone number and 26 percent provided an instant messaging screen name.

"It"s extremely alarming how easy it was to get users to accept Freddi," said Ron O'Brien, a senior security analyst at Sophos. "While it's unlikely this will result directly in theft, it provides many of the essential elements needed to gain access to people's personal accounts. Additionally, it reveals specific user interests, enabling hackers to design targeted malware or phishing emails that they know the user is more likely to open."