I am a fan of LinkedIn. I think it is a great way to interact with business colleagues and peers. But to me, LinkedIn is not a system of trust. It is a system on convenience. One of the most powerful features LinkedIn touts is the ability to associate with other peers in your circle of influence, create and receive recommendations, and more recently be endorsed for skills & expertise.
LinkedIn is becoming a platform of professionals. You can easily look up the profile of someone and learn where they work, and in what capacity. Many sales teams use it to learn more about a prospect, and C level executives like myself use it to understand the reporting structure when we are contacted for business development opportunities.
Here’s the thing though. You can’t trust LinkedIn. That’s right. You simply cannot trust it. And let me tell you why.
The open platform makes it easy for you to create an account, and associate yourself to the company you work for. The problem is ANYONE can do this with ANY company. LinkedIn turns from being a platform of professional association to a social engineering attack platform.
At Scorpion Software we are going through this right now. We are dealing with a security incident in which a “professional” (and I put that in quotes on purpose as foul language is not appropriate here) has associated himself with our company, representing himself as the “Regional sales coordinator” at Scorpion Software. Problem is he’s not. Worse yet is we don’t know this person, and have no association with him whatsoever.
We contacted LinkedIn about this several weeks ago in an effort to have him removed, because we CAN’T remove him from our company ourselves. He has been able to walk around Vancouver representing himself as a member of our team, when he simply isn’t. Worse yet, he could easily subscribe to the LinkedIn groups we are part of and start posting as a representative of the company. This could put our business reputation on the line if he was to make false statements or otherwise misrepresent the company.
Here is where it gets even more interesting. This got me thinking. An adversary of ANY company could create an account on LinkedIn and then “associate” himself with a target through the same platform. He could phone you up and use this as a social engineering bridge to get inherited trust because of your belief that LinkedIn shows he can be trusted. After all, he is associated with the company you trust on LinkedIn. He must be OK. Right? How much further would it need to go before there is an information disclosure breach or worse, because of that implicit trust? How hard would it be to create a fake persona of work history, demonstrating an identity that is pure fiction? Not hard at all.
LinkedIn as an identity proof is a failure. You cannot simply trust what someone has on their profile. You have to look at the associations, recommendations and links. You will notice as an example that the person pretending to be with our company has NO ASSOCIATIONS with our company.
I will make you this promise. If someone shows as an employee (or alumni) of Scorpion Software, they will have a first level association with me (Dana Epp). If they don’t, you should consider them suspect.
Since the original incident report, LinkedIn has indeed removed him from our list of employees. However, if you view our company page when not logged on, you will still see him listed as a new employee. Apparently LinkedIn still has some work to do on how they triage and deal with security incidents of identity misrepresentation.
So don’t trust LinkedIn blindly. Be careful. Looks closely at the associations. Verify the person before you trust it. Use the cool tools built into LinkedIn to strengthen the reputation score of someone you are not sure of. As the National Cyber Security Awareness campaign is trying to teach you… STOP. THINK. CONNECT. I’ll add another piece to that and say TRUST… BUT VERIFY.
And if you are EVER unsure about staff at our company, email me directly at email@example.com or follow me on Twitter at @danaepp and send me a private message. I will vouch for anyone on my team that you may have business dealings with.