Social Media, the Identity Thief’s best Friend

Posted on March 3, 2014


Are you a squeaky hinge?

Do you seep PII (Personal Identifiable Information)?

Are you the weakest link?

When I do reviews of individual’s online visibility and exposure to Identity Theft or raised profile for physical burglary it is not always the individual themselves who are the cause of their downfall but third parties. A compromised eCommerce site is this most volunteered cause of such a loss of PII, and whilst poor eCommerce site security is often the culprit when it comes to Credit or Bank card exposure it is almost always much closer to home when it comes to everything else.

With social media platforms abound whether you are active or passive in your participation, simply having a profile puts you at the centre of your own spinning web of growing visibility. By association everyone who engages with you online is blowing your cover. Like a dripping tap adding to the visibility and insights that can be drawn about you. Home and work addresses complete with telephone numbers come far too easily. When subject to a little bit of additional traditional PI (Personal Investigator) endeavour the gaps are quickly filled with DOB and a rich blend of immediate family members rendering most online media socialites and open book, ripe for a rip-off. It is therefore not a matter of if but when and how your identity will be harvested. The uses abound from the Social media platform data mining to focus advertising at you to a level of exposure that makes a mockery of the usual bank checks, such as:

  • Date of Birth
  • Mothers maiden name
  • Post Code
  • Telephone number

This use of information validation is a vaporous fig leaf in terms of protection, but fertile material for a complete stranger to start applying for Credit in your name and or trying to access your Bank through some form of social engineering. After all when was the last time you had a regular contact in your bank who would recognise your voice, or face even.

The issue here is invariably not you. It is your immediate peer group of ‘friends’ and acquaintances. Individuals who disclose in complete innocence (you hope) snippets of your life and identity which in isolation come over as completely innocuous, but when collated systematically combine to form a veritable treasure trove of information.

Like the scenario of the jet setting playboy with the multimillion pound Mews house in New York complete with Ferrari in the garage. Due to his infrequent visits his property agent was instructed to check the house over once a month and to turn the engine over on the shiny yellow beast in the basement. All very run of the mill and something that occurs the world over. But for an idle moments sitting behind the wheel of said yellow Ferrari with smartphone in hand, a snapshot of the famous logo and dashboard seemed completely innocent at the time, apparently completely anonymous so what was the harm in posting it as yet another piece of some nobodies Facebook trivia and ego boost as it pops up visible to all those ‘friends’.

2 months later following a police investigation of a house breaking and recover of one stolen yellow Ferrari (thanks to chassis embedded tracking device) it transpired that a gang of high end car thieves were using Facebook amongst other social media sites to compile a shopping list of high end cars for their lucrative steal to order business.

In this case they identified the car through the agents Facebook page and had little challenge finding the agents place of work to then follow said agent to locate the car. The rest as they say is in the Police records.

This is not some high tech top market exclusive group of intellectual thieves, but some very basic everyday people using the Internet to harvest information that can target individuals in their own homes almost in real time.

Techniques used by burglars include:

  • Google streetview – enables thieves to case properties in advance without any exposure.
  • Techniques common to stalkers, to ID vulnerable properties or assets.
  • Searches on Facebook and Twitter can be tailored to ID target user groups when they leave local jurisdictions and are therefore likely to be out of the country.
  • Foursquare broadcasting when individuals are at transit locations such as airports and stations. Combine these to build individual movement profiles.
  • Facebook’s ‘Open Graph’ search is a superhighway to targeting user profiles with publicly exposed data.
  • Location tagging – Mobile phone apps increasingly defaulting to broadcast location.
  • Document and image meta data such as ‘EXIF’ embedded into image files.

What can you do to stop this is not as easy as you think. Trying to rein in this data once ousted is almost impossible. Facebook is merciless in holding onto your data and exposing it at their leisure when they elect to change their privacy rules as they have done many times.

Peer pressure makes it hard to get friends to respect your privacy and not post photos and other revealing data about you. Anonymity is not as simple as people think. A Photo today often gives away more than it reveals on the surface, just got to to find out what digital delights are contained in an image file, such as GPS location etc.

Its better late than never so maybe try some of the following:

  • Stop using Facebook, this is probably a tall order but it represents the world’s largest surveillance platform. At least lock down your privacy settings and be VERY selective over whom you ‘friend’. Maybe it’s time to cull some of those less familiar connections and start going for trusted quality rather than ego pumping quantity. Also stop sharing with friends of ‘friends’.
  • Stop using Google GMail, or associated free document collaboration services. Google scans all your communications and this is you also imposing exposure on those you chose to communicate with as you are inviting them into this surveillance trap.
  • Do not share movement information such as vacations, or if you must do so retrospectively NOT real time.
  • Proactively search for and disable location sharing functionality on your mobile apps and social media platforms.
  • If a mobile app or online social media platform does not allow you to disable location sharing, delete it.
  • Use a VPN proxy to obfuscate your location. There are plenty of free ones out there, see a good article on the subject Why you should start using a VPN’
  • Improve your home security. Use technology in your favour such as WiFi camera’s that can monitor your home and capture video. If you do get burgled then at least you can have evidence. But PLEASE make sure you are relaying the data to a secure file share NOT saving it to your home server which is likely to get stolen!!
  • Remember the biggest deterrent to Burglars is VISIBLE alarm systems. These will deflect 90% according to industry insights.
  • Create clear mental demarcation lines so you become discounted about what you do online and also apply this to how you relate to other peoples data.
  • Stop posting information just for the sake of it. It all adds up, whether it is about you or someone else.
  • Anonymity DOES NOT EXIST in a Big Data world. Nothing you put up will be anonymous for long.

The biggest thing you can do is start leading by example, start turning off the firehouse of your own PII flooding into the public domain.