Skip to Main Content
In recent years, global online social network (OSN) usage has increased sharply as these networks have become interwoven into people's everyday lives as virtual meeting places that facilitate communication. OSNs, such as Facebook, Google+ , LinkedIn , Sina Weibo , Twitter , Tumblr , and VKontakte (VK)  have hundreds of millions of daily active users (see Fig. 1). Facebook, for example, has more than 1.23 billion monthly active users, 945 million of which are active mobile Facebook users as of December 2013.
Facebook users have a total of over 150 billion friend connections and upload on average more than 350 million photos to Facebook each day. Unfortunately, many OSN users are unaware of the security risks which exist in these types of communications, including privacy risks, , identity theft , malware , fake profiles (also in some cases referred to as sybils ,  or socialbots , , ), and sexual harassment , , among others. A study by Dwyer et al.  found that Facebook and MySpace  users trust these OSNs, and they have trust in other users within these social networks. This trust leads to information sharing and to developing new relationships. Moreover, according to recent studies, , many OSN users expose personal and intimate details about themselves, their friends, and their relationships, whether by posting photos or by directly providing information such as a home address and a phone number. Furthermore, according to Boshmaf et al. and Elyashar et al. , , Facebook users have been shown to accept friendship requests from people whom they do not know but with whom they simply have several friends in common. By accepting these friend requests, users unknowingly disclose their private information to total strangers. This information could be used maliciously, harming users both in the virtual and in the real world. These risks escalate when the users are young children or teenagers who are by nature more exposed and vulnerable than adults.
As the use of OSNs becomes progressively more embedded in users' daily lives, personal information becomes easily exposed and abused. Information harvesting, by both the OSN operator itself and by third-party commercial companies, has recently been identified as a significant security concern for OSN users. Companies can exploit the harvested personal information for a variety of purposes, all of which can jeopardize a user's privacy. For example, companies can use collected private information to tailor online ads according to a user's profile, to gain profitable insights about their customers, or even to share the user's private and personal data with the government. This information may include general data, such as age, gender, and income; however, in some cases more delicate and potentially harmful information can be exposed, such as the user's sexual orientation and if the user has consumed addictive substances . These privacy concerns become more alarming when considering the nature of OSNs: information regarding a network user can be obtained without even directly accessing the individual's online profile; personal details can be inferred solely by collecting data on the user's friends.
To cope with the above-mentioned threats, multiple solutions have been offered by OSN operators, security companies, and academic researchers. OSNs, like Facebook, attempt to protect their users by adding authentication processes to ensure that the registered user is a real person,    . Moreover, many OSN operators also support a configurable user privacy setting that enables users to protect their personal data from other users within the network, . As for privacy settings, OSN operators currently face a conflict of interest: On the one hand, since personal information is a commodity, the more that is shared, the better. On the other hand, a user who is anxious about his or her privacy is a liability and will probably share less information and become consequently less active. Nevertheless, both regulating authorities and public groups try to address privacy concerns and make them a part of public discourse and consideration. Today there are additional protection mechanisms which include defenses against spammers      , fake profiles ,         , and other threats. For example, security companies like Check Point , Websense , and Infoglide  offer social tools to protect users in the OSN world. These companies typically offer products which monitor user activity in order to identify and protect users. The modern day threats are so pervasive that even the academic community has addressed this issue by publishing studies which attempt to solve different OSN threats and offer improvements in identity protection, , , , , .
This paper presents the “big picture” of the current state-of-the-art academic and industry solutions that can protect OSN users from various security and privacy threats. More specifically, this study offers the following contributions: First, we outline the OSN threats that target every user of social networks, with an additional focus on young children and teenagers. Second, we present a thorough overview of the existing solutions to these threats, namely those provided by OSN operators, commercial companies, and academic researchers. Third, we compare and discuss the protection ability of the various solutions. Lastly, we give easy-to-implement recommendations on how OSN users can better protect their security and privacy when using social networks.
The remainder of the paper is organized as follows: In Section II, we introduce insightful statistics on OSNs usage. Next, in Section III, we describe different types of OSN threats. Section IV follows with various solutions to assist in protecting social network users. In Section V, we discuss the various presented threats and their corresponding solutions. In Section VI, we offer recommendations that OSN users can apply in order to improve their online security and privacy. Next, in Section VII, we offer future research directions. Our conclusions are presented in Section VIII.
Today many OSNs have tens of millions of registered users. Facebook, with more than a billion active users, is currently the largest and most popular OSN in the world. Other well-known OSNs are Google+, with over 235 million active users ; Twitter, with over 200 million active users ; and LinkedIn, with more than 160 million active users . While some experts insist that OSNs are a passing fashion and will eventually be replaced by another Internet fad, current user statistics concur that OSNs are here to stay. A recent survey by the Pew Research Center's Internet and American Life Project revealed that 72% of online American adults use social networking sites, a dramatic increase from the 2005 Pew survey which discovered that just 8% of online American adults used social networking sites. Moreover, the survey revealed that 89% of online American adults between the ages of 18 to 29 use social network sites, while in 2005 only 9% of the survey participants in this age group used this type of site. These survey results are compatible with a previous report published by Nielsen in 2011, disclosing that Americans spent 22.5% of their online time on OSNs and blogs, more than twice the time spent on online games (9.8%). Other common activities that consume Americans' online time include email (7.6%), portals (4.5%), videos and movies (4.4%), searches (4.0%), and instant messaging (3.3%). The amount of collective time spent on OSNs, especially on Facebook, is enormous and ever-growing. U.S. users spent a total of 53.5 billion minutes on Facebook during May 2011, 17.2 billion minutes on Yahoo, and 12.5 billion minutes on Google .
Mobile devices, or cellular phones, increasingly serve as platforms for Internet usage. According to Facebook's report in December 2013, Facebook had 556 million daily active mobile users, an increase of 49% year over year. Additionally, Facebook and Google+ mobile applications are the second and fourth (respectively) most frequently used smartphone applications. It should be noted that the use of OSNs on mobile devices not only promotes an even “closer relationship” to social networks but also can pose additional privacy concerns, especially regarding the collection of location data and the opportunity for advertisers to identify specific types of users.
With the increasing usage of OSNs, many users have unknowingly become exposed to threats both to their privacy and to their security. These threats can be divided into four main categories. The first category contains classic threats, namely, privacy and security threats that not only jeopardize OSN users but also Internet users not using social networks (see Section III-A). The second category covers modern threats, that is, threats that are mostly unique to the environment of OSNs and which use the OSN infrastructure to endanger user privacy and security (see Section III-B). The third category consists of combination threats, where we describe how today's attackers can, and often do, combine various types of attacks in order to create more sophisticated and lethal attacks (see Section III-C). The fourth and last category includes threats specifically targeting children who use social networks (see Section III-D).
Fig. 2 diagrams all the specific threats listed in the following sections. The boundaries between all these categories of threats, however, can become blurred as techniques and targets often overlap.
Classic threats have been a problem ever since the Internet gained widespread usage. Often referred to as malware, spam, cross-site scripting (XSS) attacks, or phishing, they continue to be an ongoing issue. Though these threats have been addressed in the past, they have become increasingly viral due to the structure and nature of OSNs and can spread quickly among network users. Classic threats can take advantage of a user's personal information published in a social network to attack not only the user but also their friends simply by adjusting the threat to accommodate the user's personal information.
For example, an attacker can plant a malicious code inside an attractive spam message that employs a user's details from his or her Facebook profile. Due to the personal nature of this crafted message, the chances that the innocent user will open the message and get infected are likely. In many cases, these threats target essential and everyday user resources such as credit card numbers, account passwords, computing power, and even computer bandwidth (in order to send spam emails). Alarmingly, these types of threats can also exploit the infected user's stolen credentials to post messages on the user's behalf or even change the user's personal information.
The different classic threats are described below, along with real-life scenarios where these types of menaces have jeopardized a real user's privacy and security.
Malware is malicious software developed to disrupt a computer operation in order to collect a user's credentials and gain access to his or her private information. Malware in social networks uses the OSN structure to propagate itself among users and their friends in the network. In some cases, the malware can use the obtained credentials to impersonatethe user and send contagious messages to the user's online friends. Koobface was the first malware to successfully propagate through OSNs such as Facebook, MySpace, and Twitter. Upon infection, Koobface attempts to collect login information and join the infected computer in order to be part of a botnet, a so-called “zombie army” of computers which often is then used for criminal activities, such as sending spam messages and attacking other computers and servers over the Internet.
Phishing attacks are a form of social engineering to acquire user-sensitive and private information by impersonating a trustworthy third party. A recent study showed that users who interact on social networking websites are more likely to fall for phishing scams due to their social and trusting nature. Moreover, in recent years, phishing attempts within OSNs have increased sharply. According to the Microsoft Security Intelligence Report, 84.5% of all phishing attacks target social network site users. One such phishing attack occurred on Facebook, luring users onto fake Facebook login pages. Then, the phishing attack spread among Facebook users by inviting friends to click on a link posted on the original user's profile space. Fortunately, Facebook acted to stop this attack.
Spammers are users who use electronic messaging systems in order to send unwanted messages, like advertisements, to other users. OSN spammers use the social networking platform to send advertisement messages to other users by creating fake profiles. The spammers can also use the OSN platform to add comment messages to pages which are viewed by many users in the network. An example of the prevalence of network spamming can be found on Twitter, which has suffered from a massive amount of spam. In August 2009, 11% of Twitter messages were spam messages. However, by the beginning of 2010, Twitter had successfully cut down the percentage of spam messages to 1%. Nevertheless, a 2013 article  states, “Social spam, as it already exists on Twitter, will continue to grow and unless the company addresses the problem quickly, it may be the one thing that sinks it.”
An XSS attack is an assault against web applications. The attacker who uses the XSS exploits the trust of the web client in the web application and causes the web client to run malicious code capable of collecting sensitive information. OSNs, which are types of applications, can suffer from XSS attacks. Furthermore, attackers can use an XSS vulnerability combined with the OSN infrastructure to create an XSS worm that can spread virally among social network users. In April 2009, such an XSS worm, called Mikeyy, rapidly transmitted automated tweets across Twitter and infected many users, among them celebrities like Oprah Winfrey and Ashton Kutcher. The Mikeyy worm used an XSS weakness and the Twitter network structure to spread through Twitter user profiles.
Internet fraud, also known as cyber fraud, refers to using Internet access to scam or take advantage of people. In the past, con artists used traditional in-person social networks, such as weekly group meetings, to gradually establish strong bonds with their potential victims. Currently, according to the North American Securities Administrators Association (NASAA), with the rising popularity of online networking, con artists have turned to OSNs to establish trust connections with their victims, and then they take advantage of personal data published in the victims' online profiles. In recent years, for example, fraudsters have been hacking into the accounts of Facebook users who travel abroad. Once they manage to log into a user's account, the scammers cunningly ask the user's friends for assistance in transferring money to the scammer's bank account. One victim of this type of fraud was Abigail Pickett. While traveling in Colombia, Abigail discovered that her Facebook account had been hijacked by someone in Nigeria, and it was being used to send requests for money to her network friends on the pretext that she was “stranded”.
Modern threats are typically unique to OSN environments. Usually these threats specifically target users' personal information as well as the personal information of their friends. For example, an attacker who is trying to gain access to a Facebook user's high school name—viewable only by the user's Facebook friends—can create a fake profile with pertinent details and initiate a friend request to the targeted user. If the user accepts the friend request, his or her details will be exposed to the attacker. Alternatively, the attacker can collect data from the user's Facebook friends and employ an inference attack to infer the high school name from the data collected from the user's friends.
In what follows, we illustrate the various modern threats and real-life scenarios where these types of threats have jeopardized an OSN user's privacy and security.
Clickjacking is a malicious technique which tricks users into clicking on something different from what they intended to click. By using clickjacking, the attacker can manipulate the user into posting spam messages on his or her Facebook timeline, performing “likes” to links unknowingly (also referred as likejacking), and even opening a microphone and web camera to record the user. An example of a clickjacking attack occurred on Twitter in 2009 when Twitter was plagued by a “Don't Click” attack. The attacker tweeted a link with the message “Don't Click” along with a masked URL (the actual URL domain was hidden). When Twitter users clicked on the “Don't Click” message, the message automatically spread virally and was posted onto their Twitter accounts.
In many OSNs like Twitter and MySpace, users can protect their privacy and anonymity by using pseudonyms. De-anonymization attacks use techniques such as tracking cookies, network topology, and user group memberships to uncover the user's real identity. An example of de-anonymization was demonstrated by Krishnamurthy and Wills, who proved that it is possible for third parties to uncover OSN user identities by linking information leaked via social networking sites. Krishnamurthy and Wills also showed that most users on the studied OSNs were vulnerable to having their OSN identity information leaked via tracking mechanisms, such as tracking cookies. Another example of this type of attack was presented by Wondracek et al.; they offered a method to de-anonymize users in OSNs by using only the users' group memberships. Wondracek et al. tested their method on the Xing OSN and succeeded in identifying 42% of the users. An additional recent example was presented by Peled et al., who introduced a method for matching user profiles across several OSNs. The method was evaluated by matching profiles across Facebook and Xing.
Many people use OSNs for uploading pictures of themselves and their friends. Millions and millions of photos are uploaded to Facebook each day. Moreover, many Facebook user profile pictures are publicly available to view and download. For instance, the Faces of Facebook website allows Internet users to view the profile images of over 1.2 billion Facebook users. These photos can be used to create a biometric database, which can then be used to identify OSN users without their consent.
In 2011, Acquisti et al.  demonstrated the threat of face recognition to OSN user privacy by performing three experiments. The first experiment showed that it is possible to match “online to online” image datasets by using publicly accessible Facebook user profile pictures to re-identify profiles on one of the most popular dating sites in the United States. In their second experiment, Acquisti et al. demonstrated that “offline to online” image datasets can also be matched. Namely, they used publicly available images from Facebook to identify students strolling through campus. In their third experiment, Acquisti et al. illustrated that it is possible to predict personal and sensitive information from a face; an individual's interests, activities, and even his or her social security number could be automatically predicted by matching the face image with the person's Facebook image to obtain the person's full name. Following this action, the attacker could use the obtained name to cross-reference it against other datasets.
Fake profiles (also referred to as sybils or socialbots) are automatic or semi-automatic profiles that mimic human behaviors in OSNs. In many cases, fake profiles can be used to harvest users' personal data from social networks. By initiating friend requests to other users in the OSN, who often accept the requests, the socialbots can gather a user's private data which should be exposed only to the user's friends. Moreover, fake profiles can be used to initiate sybil attacks, publish spam messages , or even manipulate OSN statistics , . A recent article asserted that the market of buying fake followers and fake retweets is already a multimillion-dollar business. Additional approaches that generate fake profiles were demonstrated recently by Boshmaf et al. when an army of more than a hundred Facebook socialbots was created, which then attempted to infiltrate innocent Facebook profiles by initiating a series of friend requests. The socialbot army succeeded in generating approximately 250 GB of inbound Facebook traffic. Moreover, the socialbot friend acceptance rates climbed to 80% whenever a socialbot and an innocent Facebook user had more than eleven friends in common. In some cases, even one well-manipulated fake profile can cause extensive damage as proven by Thomas Ryan, who assumed the fictional profile of Robin Sage to connect to hundreds of users from various social networking sites.
Using this technique, attackers duplicate a user's online presence either in the same network, or across different networks, to deceive the cloned user's friends into forming a trusting relationship with the cloned profile. The attacker can use this trust to collect personal information about the user's friends or to perform various types of online fraud. An example of an identity clone attack occurred recently with NATO's most senior commander, Admiral James Stavridis. His profile details were cloned and then used to collect data on defense ministry officials and other government officials by tricking them into becoming friends with the newly cloned Facebook profile.
Inference attacks in OSNs are used to predict a user's personal, sensitive information that the user has not chosen to disclose, such as religious affiliation or sexual orientation. These types of attacks can be implemented using data mining techniques combined with publicly available OSN data, such as network topology and data from users' friends. An inference attack was demonstrated by Mislove et al. who presented techniques for predicting a user's attributes based on other users' attributes in the OSN. They tested their techniques and inferred different Facebook users' attributes, such as educational information, personal preferences, and geographic information. Recently, inference attacks on organizations were explored by Fire et al.. They presented an algorithm for inferring the OSN of a targeted organization based solely on publicly available data from social networks. Fire et al. tested their algorithm on six organizations of different scales using publicly available data from the Facebook profiles of the organization's employees, resulting in a successful reconstruction of the social networks within these six organizations. Additionally, certain details could be inferred about the targeted organizations, some of which were confidential.
OSNs allow users to openly share and exchange information with their friends and other users in the network. In some cases OSN users willingly share sensitive information about themselves and other people, such as health-related information,  and sobriety status . In a recent study, Torabi and Beznosov  observed that 95.8% of 166 participants shared some health-related information through their OSN accounts. Leakage of sensitive and personal information may have negative implications for the social networks users. For example, insurance companies may use OSN data to identify risky clients. These companies can use OSN leaked information to detect clients with medical conditions, consequently increasing their premiums or denying their coverage. Additionally, employers use social networks for screening job applicants. Therefore, leaking personal information, such as drinking habits, on OSNs may jeopardize future chances for finding employment.
With the increasing use of smart mobile devices that encourage sharing of location information, many people use OSNs to willingly share private and sometimes sensitive information about their (or their friends') current or future whereabouts. A study by Humphreys et al. found that 20.1% of examined Twitter tweets included information on when people were engaging in certain activities, and 12.1% of the tweets mentioned the person's location. Additionally, a study by Mao et al. demonstrated that classifiers can be trained to identify Twitter users' locations in real time. Moreover, Cheng et al. presented a framework for estimating a user's city-level location based on the content of the user's tweets. This type of information can be used by criminals and stalkers. For example, Israel Hyman from Arizona tweeted that he was looking forward to his family vacation to St. Louis. He also tweeted again once he had arrived in Missouri. When Hyman returned home, he discovered that his house had been burglarized. An even more disturbing example of location leakage threats is given by the website Pleaserobme.com, , which shows a way to find the location information of specific Twitter and Foursquare users.
In some cases, OSN users unknowingly share their locations by uploading media items, such as photos and videos, which may be embedded with geotagging information about their current and past locations. For example, Adam Savage, the host of the popular science programMythBusters, posted a picture on Twitter of his car parked in front of his house. The uploaded image contained a geotag which exposed the place where the photo was taken.
Socware entails fake and possibly damaging posts and messages from friends in OSNs. Socware may lure victims by offering false rewards to users who install socware-related malicious Facebook applications or visit questionable socware websites. After the users have cruised the socware website or installed the relevant application, the installed socware sends messages on the user's behalf to the user's friends, essentially assisting the socware viral spread. In 2012, Rahman et al.  investigated over 40 million posts and discovered that 49% of the studied users were exposed to at least one socware post in a four-month period. Moreover, Rahman et al. discovered that 13% of 111 000 studied applications were malicious applications that could assist in spreading socware. Additionally, a recent study by Huang et al. studied the ecosystem which enables socware to propagate (cascade). By analyzing data from the profile pages of approximately 3 million Facebook users over a period of five months, they discovered that “socware cascades are supported by Facebook applications that are strategically collaborating with each other in large groups.”
Today's attackers can also combine classic and modern threats in order to create a more sophisticated attack. For example, an attacker can use a phishing attack to collect a targeted user's Facebook password and then post a message containing a clickjacking attack on the targeted user's timeline, thus luring the user's Facebook friends to click on the posted message and install a hidden virus onto their own computers. Another example is the use of cloned profiles to collect personal information about friends of the cloned user. Using the friends' personal information, the attacker can send uniquely tailored spam email messages containing a virus. By using personal information, the virus is more likely to be activated.
Note that the recovery processes from classic and modern threats are distinct. In order to recover from a classic attack, like a virus, it is usually possible to simply reinstall the operating system, change the current passwords, and cancel the affected credit cards. However, in order to recover from a modern OSN attack that “steals your reality”, more effort must be made because resetting personal information is excessively time consuming and not always possible. For instance, you could change your email address, but it would be much more difficult to change your home address.
Children, whether young children or teenagers, certainly experience the classic and modern threats detailed above, but there are also threats that intentionally and specifically target younger users of OSNs. Due to the critical nature of this topic, this section highlights those threats, as well as describes specific findings from current studies.
The greatest concern regarding the personal information safety of children relates to Internet pedophiles, also referred to as online predators. Livingstone and Haddon of EU Kids Online defined a typology in order to understand the risk and harm related to the following online activities: harm from content (a child's exposure to pornography or harmful sexual content), harm from contact (a child who is contacted by an adult or another child for the purpose of sexual abuse), and harm from conduct (the child as an active initiator of abusive or risky behaviors). Behaviors that are considered to be Internet sexual exploitation of children include adults using children for the production of child pornography and its distribution, consumption of child porn, and the use of the Internet as a means to initiate online or offline sexual exploitation. In their study from 2008, Wolak et al. critically examined the myth and reality of the online predator. The image of an Internet predator in the media is that of an adult man who pretends to be a friend to an innocent young boy or girl through whom he collects personal data; he hides his sexual intentions until the actual meeting, which likely involves rape or kidnapping. According to Wolak et al., however, the truth is far more complex. Wolaket al. assert that most Internet-initiated sex crimes indeed start with establishing a relationship between an adult and a child through the use of instant messaging, emails, chats, etc. However, in most cases children are aware of the fact that they are talking to an adult, and if the relationship escalates to attending a real-life meeting, they are aware and to some extent expect to engage in sexual activity. More often than not, the encounter involves non-forcible sexual activity, yet it is with a person under the age of consent and therefore constitutes a crime. Contrary to the common notion, Wolak et al. discovered that most victims of Internet-initiated sex crimes were teenagers (aged 13 to 17), and none under age 12 were reported. Therefore, these crimes do not constitute the clinical definition of pedophilia: “the fantasy or act of sexual activity with prepubescent children”. Of course, this does not make the crimes any less distasteful.
Potential risky behaviors of children may include direct online communication with strangers, use of chat rooms for interactions with strangers, sexually explicit talk with strangers, and giving private information and photos to strangers. It should be noted that while each of the above-mentioned behaviors alone poses a risk, the combination of a few of these behaviors can justifiably cause enormous anxiety regarding a child's safety. Wolak et al. maintain that risky online behaviors and specific populations who are more exposed to them can be identified. Additionally, there is a well-established link between online and offline behaviors. Researchers contend that victims of Internet abuse are very often vulnerable children, such as youths with a history of physical or sexual abuse or those who suffer from depression or social interaction problems. All children living with these kinds of issues are at a higher risk of sexual abuse on the Internet or through online-initiated encounters.
Cyberbullying (also referred to as cyber abuse) is bullying that takes place within technological communication platforms, such as emails, chats, phones conversations, and OSNs, by an attacker who uses the platform to harass his victim by sending repeated hurtful messages, sexual remarks, or threats; by publishing embarrassing pictures or videos of the victim; or by engaging in other inappropriate behavior. Today, cyberbullying has become a common phenomenon in OSNs in which the attacker can utilize the network's infrastructure to spread cruel rumors about the victim and share embarrassing pictures with the victim's network of friends. Cyberbullying usually affects children, rather than adults. A recent online survey, which included 18 687 parents from 24 countries, revealed that 12% of parents claim their child has been cyberbullied. Additionally, according to the survey's results, the majority of children experienced this harassing behavior on widely used social networking sites like Facebook. Horrifically, in some cases cyberbullying can cause catastrophic results, as in the cases of Amanda Michelle Todd and Rebecca Ann Sedwick , both of whom committed suicide after being cyberbullied on Facebook.
In recent years, social network operators, security companies, and academic researchers have tried to deal with the above-mentioned threats by proposing a variety of solutions (see Fig. 3 and Table II). In this section we describe possible solutions which can assist in protecting the security and privacy of OSN users.
OSN operators attempt to protect their users by activating safety measures, such as employing user authentication mechanisms and applying user privacy settings. Several of these techniques are described in detail below.
In order to make sure the user registering or logging into the social network is a real person and not a socialbot or a compromised user account, OSN operators use authentication mechanisms, such as CAPTCHA, photos-of-friends identification , multi-factor authentication , and in some cases even requesting that the user send a copy of his or her government issued ID. As an example, Twitter recently introduced its two-factor authentication mechanism, requiring the user to not only insert a password when logging into Twitter but also provide a verification code that was sent to the user's mobile device.
This mechanism prevents a malicious user from logging in through hijacked accounts and publishing false information through those hijacked accounts. Such a mechanism would thwart incidents such as when hackers hijacked the Associated Press (AP) Twitter account, resulting in the rapid propagation of false information about explosions in the White House, which caused panic on Wall Street.
Many OSNs support various configurable user privacy settings that enable users to protect their personal data from other users or applications, . Facebook users, for example, can customize their privacy settings and choose which other users in the network (such as Friends, Friends of Friends, and Everyone) are able to view their details, pictures, posts, and other personal information. A similar example of customizable privacy settings exists in Google+: users place each one of their friends into groups, also known as circles, such as Best Friends circle, Work circle, and High School Friends circle. Using these circles, Google+ users can better protect their privacy by deliberately choosing which of their posts are exposed to each circle. Moreover, both Facebook and Google+ enable their users to approve or revoke the access of applications to the users' personal data, .
Some OSNs also support extra security configurations which enable the user to activate secure browsing, receive login notifications, and establish other safety features. However, many OSN users still simply maintain the default privacy settings, letting their data be exposed to strangers, .
Several OSNs protect their users by implementing additional internal protection mechanisms for defense against spammers, fake profiles, scams, and other threats, . Facebook, for example, protects its users from malicious attacks and information collecting by activating the Facebook Immune System (FIS). The FIS is described as an adversarial learning system that performs real-time checks and classifications on read-and-write actions on Facebook's database.
OSN operators can attempt to protect young children and teenage users from harassment by adding an option to report abuse or policy violations by other users in the network. In some countries, social networks like Facebook and Bebo  have also added a “Panic Button” to better protect children .
Various commercial companies have expanded their traditional Internet security options and now offer software solutions specifically for OSN users to better protect themselves against threats. In this section, we present mainstream software and application-protection solutions which were developed by well-known security companies, such as Symantec and Check Point, as well as solutions which were created by several startup companies, such as Online Permissions Technologies, and open-source solutions, such as NoScript Security Suite (see also Table I).
Many security companies, such as AVG, Avira, Kaspersky, Panda, McAfee, and Symantec , offer OSN users Internet security solutions. These software suites typically include anti-virus, firewall, and other Internet protection layers which assist OSN users in shielding their computers against threats such as malware, clickjacking, and phishing attacks. For example, McAfee Internet Security software provides its users with protection against various threats such as malware, botnets, and inappropriate sites.
AVG PrivacyFix  is software available as a mobile application or a web browser add-on which offers its users a simple way to manage their privacy settings on Facebook, LinkedIn, and Google. Additionally, PrivacyFix helps its users block over 1200 trackers by following their movements online. The software also tells its users how much revenue they are generating for Facebook and Google.
FB Phishing Protector  is a Firefox add-on which warns Facebook users when a suspicious activity is detected, such as a script-injection attempt. This add-on provides protection against various phishing attacks.
Symantec's Norton Safe Web  is a Facebook application with more than 500 000 users. It scans the Facebook user's News Feed and warns the user about unsafe links and sites.
McAfee Social Protection  is a mobile application which enables Facebook users to safeguard their uploaded photos by letting users control precisely who can view and download their images.
Online Permissions Technologies' MyPermissions  is a web service that provides its users with convenient links to the permissions pages for many OSNs, such as Facebook, Twitter, and LinkedIn. These links can help users view and revoke the permissions they had given in the past to various applications, thus better protecting their privacy. Additionally, MyPermissions offers periodic email reminders that prompt users to check their OSN permissions settings.
Trend Micro's Privacy Scanner for Facebook  is an Android application which scans the user's privacy settings and identifies risky settings which may lead to privacy concerns. It then assists the user in fixing the settings.
Websense's Defensio web service  helps protect social network users from threats like links to malware that could be posted on the user's Facebook page. The Defensio service also assists in preventing information leakage by controlling the user's published content by removing certain words from posts or filtering specific comments.
Check Point's ZoneAlarm Privacy Scan  is a Facebook application which scans recent activity in the user's Facebook account to identify privacy concerns and to control what others can see. For instance, ZoneAlarm Privacy Scan can identify posts that expose the user's private information.
ContentWatch's Net Nanny  is software which assists parents in protecting their children from harmful content. Net Nanny lets parents monitor their children's social media activity on different OSN websites, such as Facebook, Twitter, and Flickr.
Infoglide's MinorMonitor  is a parental control web service which gives parents a quick dashboard view of their child's Facebook activities and online friends. By using MinorMonitor, parents can be informed about questionable content that may have been revealed to their child, and they can identify over-age friends in their child's Facebook friends list.
Several recently published studies have proposed solutions to various OSN threats. These solutions have primarily focused on identifying malicious users and applications. In this section, we present studies which provide solutions for improving OSN users' privacy settings; for detecting phishing, spammers, cloned and fake profiles, and socware; and for preventing information and location leakage.2 These academic solutions provide cutting-edge insight into dealing with social network threats. They can be used by OSN operators to improve their users' security and privacy, by security companies to offer the customers better OSN protection, or by early-adopter OSN users who want to better protect themselves.
In recent years several studies have offered OSN users methods and applications to help them better understand and improve their social network privacy settings. In 2008, Lipford et al. introduced the Audience View interface for Facebook which enables users to view their profiles from the point of view of other Facebook users, whether from the point of view of a friend or that of a complete stranger. This type of interface can help OSN users know exactly which personal details are visible to other users and then change their privacy settings accordingly. In 2010, Fang and LeFevre presented a template for the design of a social networking privacy wizard for OSNs to automatically configure the user's privacy settings with minimal effort from the user. Fang and LeFevre also presented a sample privacy wizard based on their generic template. The sample wizard used active learning algorithms and was found to be “quite effective in reducing the amount of user effort, while still producing high-accuracy settings”. In 2012, Fire et al.  presented The Social Privacy Protector add-on which can assist Facebook users in adjusting their privacy settings with just one simple click, according to predefined various privacy setting usage templates. Also in 2012, Paul et al. offered the C4PS privacy interface which utilizes simple principles of color coding to highlight each attribute in the user's profile with a particular color, depending on the group of people who have access to this attribute. Moreover, the interface enables users to change privacy settings for a specific attribute by simply clicking on buttons located near the specific attribute.
Many researchers have suggested anti-phishing methods to identify and prevent phishing attacks; most of these methods have been based on techniques that attempt to identify phishing websites and phishing URLs  . With the increasing number of phishing attacks on OSNs , several researchers have suggested dedicated solutions for identifying social network phishing attacks. In 2012, Lee et al. introduced WarningBird, a suspicious URL detection system for Twitter which can handle phishing attacks that conceal themselves by using conditional redirection URLs. Later in the same year, Aggarwal et al. presented the PhishAri technique, which can detect whether or not a tweet posted with a URL is phishing by utilizing specific Twitter features such as the account age and the number of followers of the user who posted the suspicious tweet.
Many researchers have recently proposed solutions for spammer detection in OSNs. In 2009, Benevenuto et al. offered algorithms for detecting video spammers which succeeded in identifying spammers among YouTube users. In 2010, DeBarr and Wechsler  used the graph centrality measure to predict if a user is likely to send spam messages. Wang proposed a method to classify spammers on Twitter by using content and social network graph properties. Stringhini et al. created more than 300 fake profiles (also referred to as “honey-profiles”) on Twitter, Facebook, and MySpace and successfully identified spammers who sent spam messages to the fake profiles. Lee et al. also presented a method for detecting social spammers of different types by using honeypots combined with machine learning algorithms. In 2013, Aggarwal et al. presented machine learning algorithms for detecting various type of spammers in Foursquare. Recently, Bhat and Abulaish introduced a community-based framework to identify OSN spammers. Also, Verma et al. presented a survey which reviews existing techniques for detecting spam users on Twitter.
In 2011, Kontaxis et al.  proposed a methodology for detecting social network profile cloning. They designed and implemented a prototype which can be employed to investigate whether or not users have fallen victim to clone attacks. In 2013, Shan et al. presented the CloneSpotter which can be deployed into the OSN infrastructure and can detect cloning attacks by using users' data records, such as a user's login IP records that are available to the OSN operator.
In recent years, researchers have developed algorithms, techniques, and tools to identify fake profiles and prevent various sybil attacks via OSNs.3 In 2006, Yu et al. presented the SybilGuard decentralized protocol that assists in preventing sybil attacks. Later, in 2008, Yu et al. also presented the SybilLimit protocol, a near-optimal defense against sybil attacks using social networks. In 2009, Danezis and Mittal offered the SybilInfer defense algorithm which can distinguish between “honest” and “dishonest” users. In the same year, Tran et al. presented the SumUp sybil defense system to limit the number of fake votes cast by sybils.
In 2012, Cao et al.  introduced the SybilRank tool which utilizes OSN graph properties to rank users according to their perceived likelihood of being fake. Later, they deployed SybilRank in the operation center of Tuenti, the largest OSN in Spain, and estimated that about 90% of the 200 000 users who received the lowest rank were actually fake profiles. In the same year, Wang et al. proposed a crowdsourced fake profiles detection system and evaluated it using data from Facebook and from Renren, a Chinese OSN. Also, in 2012, Fire et al.  presented an algorithm for identifying malicious profiles using the social network's own topological features. They evaluated their methods on three directed OSNs—Academia.edu, Anybeat,4 and Google+—and succeeded in identifying fake profiles and spammers. Fire et al. also presented The Social Privacy Protector application which assists Facebook users in identifying fake profiles among their friends. They used the dataset created by The Social Privacy Protector application and developed machine learning classifiers which can identify fake profiles on Facebook. Recently, Wang et al.  presented a system which can detect fake profiles based on analyzing clickstream models. Additional surveys regarding solutions to sybil attacks have also been presented by Levineet al. and by Hoffman et al. .
In the last few years, several studies have tried to better understand and identify socware. In 2012, Rahmanet al. presented the MyPageKeeper Facebook application that aims to protect Facebook users from damaging posts on their timelines. Rahman et al. also presented Facebook's Rigorous Application Evaluator (FRAppE) for detecting malicious applications on Facebook. In 2013, Huang et al.  studied the socware ecosystem and discovered several insights about socware propagation characteristics that can assist in future research on the detection and prevention of socware propagation.
In their study on privacy leaks on Twitter, Mao et al.  offered a “guardian angel service” that can monitor users' tweets and alert users to potential privacy violations. Their offered solution can be based on classifiers they constructed throughout their study which can identify tweets containing private information, such as vacation plans. Moreover, Gómez-Hidalgo et al. used Named Entity Recognition (NER) algorithms to prevent data leakage. In their study, they implemented a prototype to demonstrate how their methods can prevent data leakage. Their methods may also be used to prevent OSN users from exposing their locations. Recently, Ghiglieri et al. presented the Personal DLP tool to help OSN users better understand and evaluate the sensitivity of their posted statuses. The study included 221 participants, and the developed Personal DLP prototype was found to have a positive impact on users' privacy awareness.
In Section III, we presented the many threats that can jeopardize OSN users' security and privacy. These threats attempt to achieve one or more of the following goals: (a) gain access to the user's resources, such as passwords and credit card numbers (see Section III-A); (b) gain access to the user's private and sensitive information, such as age, political views, and current or future whereabouts (see Section III-B); (c) utilize the gained control over the user's OSN profile as a spreading platform to attack his or her trusting online friends; and (d) locate future potential victims (see Sections III-B and III-D). Some of these threats are passive; they use only the user's lack of awareness or knowledge to achieve their goals. For example, the face recognition threat introduced in Section III-B can simply utilize the user's public profile photos to create a biometric database. Other threats are active, and their goal is to try and set up the users. For example, the clickjacking threat tries to trick OSN users into clicking on something different from what they had intended to click (see Section III-B). Alarmingly, many of the presented threats are not limited to cyberspace but have the potential to threaten the user's well-being in the real world as well. For example, it has been suggested that most burglars use OSNs such as Facebook and Twitter to target their victims.
To better protect OSN users from the above mentioned threats, OSN operators, commercial security companies, and academic researchers offer OSN users a variety of security and privacy solutions which are presented in Section IV. Similar to real-world security solutions, these solutions can provide OSN users with several layers of protection against these threats. The first protection layer, which parallels the functionality of a door lock, strives to prevent unwelcome intruders from entering and viewing OSN users' personal posts and details. This layer consists of different security and privacy settings offered by various OSN operators. However, in many cases the average OSN user does not know or is unaware of the best way to “lock” his or her profile, instead leaving the privacy settings on default, which often provides insufficient protection, . To assist such users, security companies and academic researchers have developed solutions, such as Privacy Scanner for Facebook, ZoneAlarm Privacy Scan , and The Social Privacy Protector , all of which can assist OSN users in improving their privacy settings. However, much like in real life, sometimes OSN users can forget to “lock their door,” and consequently they may leak sensitive information about themselves, such as their future vacation plans or their medical condition. To prevent this type of exposure, researchers ,  and security companies  have offered solutions that automatically scan the users' posted information and prevent them from uploading posts that contain their sensitive information.
The second protection layer parallels the functionality of a security alarm, and it aims to prevent malicious users from collecting OSN users' personal posts and details, that is, to prevent these malicious users from hacking into the innocent users' devices and social network accounts. This layer consists of the different commercial Internet security solutions (see Section IV-B), as well as the various phishing, fake profile, and socware detection solutions offered by academic researchers that the OSN users can install by themselves (see Section IV-C). These types of solutions can be very effective in identifying active threats, which in many cases attempt to infect as many OSN users as possible. In most cases, however, these solutions are insufficient for identifying more targeted threats, such as de-anonymization attacks, identity clone attacks, inference attacks, and online predators, all of which choose to target individuals using an OSN.
The third protection layer, which functions as a security camera, is a special layer specific to children and their OSN use. This layer aims to protect both young children and teenagers by enabling parents to monitor online activity primarily via various monitoring software such as Net Nanny and MinorMonitor . This solution can help parents protect their children from targeted threats such as online predators and cyberbullying.
The fourth protection layer, which can be likened to the functionality of a neighborhood watch, uses wisdom of the crowd to pinpoint malicious users in the OSN. This layer consists of various solutions such as the option to report other social network users to an OSN operator. OSN users can work together to identify threats such as fake profiles, clickjacking, internet fraud, socware, and cyberbullying, and report them to the OSN operator.
The fifth protection layer, which parallels the functionality of a police force, includes authentication mechanisms which are responsible for making sure that only real people can log into the OSN. The authentication mechanisms can assist in identifying malicious users, such as socialbots, and prevent them from logging into the OSN and attacking other social network users. Additionally, due to its almost unlimited access to OSN users' data, metadata, and activities, the OSN operator can identify many potential threats based on the full social network topology, along with users' IP addresses, login times, and behavioral patterns, which in most cases are accessible only to the OSN operator. Moreover, as demonstrated in Sections IV-A and IV-C, utilizing these unique datasets can help protect OSN users from threats such as phishing attacks, spammers , cloning attacks , and fake profiles . Fire et al.  showed how the OSN operator can utilize the full social network graph topology in order to identify fake profiles and spammers. Furthermore, as demonstrated by Stringhini et al., the OSN operator can use its control over the network to scatter many “honey-profiles” that can assist in identifying malicious users, such as spammers.
These five protection layers can give OSN users sufficient protection against almost all of the threats described in Section III (also see Table II). Moreover, if the OSN users choose to enable only the first three protection layers, they are still safeguarded from most of the described threats. Nevertheless, OSN operators—due to their control of the network, their unique access to all users' data and metadata, and their ability to monitor users' activities OSN operators—are in the best position to improve their users' security and privacy.
As we have demonstrated throughout this study, OSN users are facing prevalent and varied security and privacy threats. Fortunately, there are many software solutions and techniques that exist today which can assist OSN users in better defending themselves against these threats. In this section, we provide several easy-to-apply methods which can help OSN users improve their security and privacy in social networks such as Facebook and Twitter. We advise OSN users who want to better protect themselves in these platforms to implement the following eight recommendations in each of their OSN accounts:
The field of OSN security and privacy is a new and emerging one, offering many directions to pursue. Security researchers can continually provide better solutions to online threats; they can also discover new security threats to address. We believe that in order to improve the present solutions, the next step is to create synergy among the different security solutions which were presented in Section IV-C. This will create more robust and effective security solutions for detecting fake profiles, spammers, phishing attacks, socware, and other threats.
Besides the creation of synergy, another worthwhile direction is to apply various algorithms to enhance OSN security. A variety of Natural Language Processing (NLP) techniques and temporal analysis algorithms can be utilized; combining these with existing solutions would provide better and more accurate protection against social network threats. For example, researchers can predict many users' private traits, such as age and gender, based on their Facebook likes. Combining this algorithm with other topological-based fake profile detection methods (see Section IV-C) can assist in spotting phony details, such as a false age, thus identifying fake profiles. Other algorithms also can be utilized: Various Data Leak Prevention (DLP) algorithms can analyze and monitor OSN users' posted information, recommending to the users which of their posted information might be sensitive and therefore advised to be removed from social network. Additionally, state-of-the-art anomaly detection algorithms could be used to develop solutions for identifying fake OSN user accounts or OSN user accounts that have been compromised.
A further research direction for improving OSN users' privacy is to analyze and evaluate the different existing privacy solutions offered by OSN operators, pinpointing their shortcomings and suggesting methods for improving privacy solutions. Research that develops techniques to better educate users about these solutions would also be of value, as would techniques to make users more aware of existing OSN threats.
Additional possible future research directions include developing privacy-preserving OSNs, such as Safebook , and developing solutions for privacy-preserving ad hoc social networks (i.e., self-configuring social networks that connect users using mobile devices), such as the semantics-based mobile social network (SMSN) framework . As SMSN grows in popularity, addressing security concerns will be increasingly important.
One additional possible future research direction includes studying the emerging security threats due to the increasing popularity of geo-location tagging of social network users in order to offer solutions for threats with geosocial specificity.
OSNs have become part of our everyday life and, on average, most Internet users spend more time on social networks than in any other online activity (see Section II). We enjoy using OSNs to interact with other people through the sharing of experiences, pictures, and videos. Nevertheless, social networks have a dark side ripe with hackers, fraudsters, and online predators, all of whom are capable of using OSNs as a platform for procuring their future victims. In this paper, we have presented scenarios which threaten OSN users and can jeopardize their identities, privacy, and well-being in both the virtual world as well as the real world (see Section IV-C). Furthermore, we have provided examples of many of the presented threats in order to demonstrate that these threats are real and can endanger every user. We have also emphasized certain threats which challenge the safety of young children and teenagers across the OSN cyberspace.
There are remedies to these threats, and we have offered a range of solutions which help protect an OSN user's privacy and security (see Section IV). However, as demonstrated in Table II, the presented solutions are not magical antidotes that will provide full protection to a user's privacy and security. In order to be well protected against the various online threats, users must stay attentive to the information they post online, and they must employ more than one solution. In many cases, the users should seek the OSN operator's assistance in providing tools (see Section IV-A) both to better protect their privacy and to identify potential threats.
We have outlined eight recommendations that are simple to implement for OSN users to better protect themselves (see Section VI). We advise OSN users to not only adopt our recommendations but also to educate themselves and their loved ones regarding online threats. All social network users must consider very carefully what personal information is being revealed about themselves, about their friends, and about their workplaces. Users should also know that the information they post in OSNs can be cross-referenced with other data sources and could be used to infer their personal and intimate details. If a user's personal information falls into the wrong hands, it could potentially cause a vast amount of damage, and in many cases there is no way to recapture what has been lost.
In addition, parents must monitor their children's activity in these social platforms. As parents, we cannot be naïve; we need to recognize the enticements of social networks and be aware of hidden dangers. We are obligated to educate our children to be aware of potential threats, and we must teach them not to engage with strangers either in the real world or in the cyber world.
As far as future research (see Section VII), OSNs offer fertile ground for new and interesting research with many opportunities to pursue, such as improving the current state-of-the-art security products, discovering new types of security and privacy threats, and developing and evaluating new privacy solutions and schemes. Overall, researchers can play a significant role by recognizing the value of solution synergies and by applying useful techniques and algorithms. Social networks can enhance our lives, but we must take the correct precautions to preserve our security and privacy.
We would like to thank Jennifer Brill and Liza Futerman for proofreading this article. Especially, we want to thank Carol Teegarden for her editing expertise and endless helpful advice which guided this article to completion. We also want to thank the anonymous reviewers for their helpful comments.
The associate editor coordinating the review of this paper and approving it for publication was E. Hossain.
1Location leakage is a private case of information leakage, which was discussed in the previous paragraph. However, due to serious privacy threats that could occur as a result of location leakage, such as location monitoring and stalking, we present this threat in a separate subsection.
2Many of these solutions overlap and can assist in preventing more than one threat. For example, algorithms for identifying fake profiles can also help identify spammers and phishing attacks.
3Although the common goal of both fake profile algorithms and sybil defense algorithms is to identify fake profiles, a difference exists: Fake profile detection algorithms seek to identify fake profiles in general, including cases of cyber predators which hold only a few fake profiles in the OSN; sybil defense algorithms are a private case of fake profile detection algorithms and are usually intended to identify attackers who create a large number of fake profiles in the OSN.
4As of May 2012, the Anybeat OSN has been shutdown.
Back to Top