As the saying goes, a man (and presumably a woman) is known by the company he keeps. In fact, last fall some MIT students did a study where they demonstrated that they could tell someone's sexual orientation by the sexual orientation of their friends on Facebook and other social networking sites.
Now it's going one step further: In May, at the IEEE Symposium on Security and Privacy in Oakland, Calif., students are presenting a paper showing how they can determine someone's identity by the social networking groups to which they belong.
Using a German social networking site called Xing, researchers at three universities determined using their technique that they could identify someone 42 percent of the time.
Criminals could use the technique for phishing and targeted attacks, particularly because it requires only that users have to visit a particular site, not that they have to download any code, said Kelly Jackson Higgins, of the security blog Dark Reading.
The system works like this. First, someone visits a particular site, which uses a technique to examine their browser history to see which social networking groups they visit. Then, after downloaded group membership information using crawlers, they look at the users who belong to all of those groups -- which typically triangulates down to a few or, often, a single user.
Unlike some other triangulation techniques, this one uses just a single social networking site, the researchers said. The technique would also work with sites such as Amazon and eBay, they added.
Users can protect themselves against such attacks by turning off their browsing history, the authors noted. "Unfortunately, all of these methods also require some effort on behalf of the user, and reduce the usability of web browsers and web applications," they said. Xing has also taken steps to make it more difficult for such techniques to work.