So do you think you are safe when online and sharing your post or the picture of your cat on social media. What would happen if you left your mail somewhere? How about what you post online? How can someone hurt you if they manage to get hold of that information? Let's explore some scary scenarios, but also give you tips on avoiding leaving the digital breadcrumbs which lead to your digital self.
First, a little bit of background on how the baddies use open source and free tools to gather information about you. You can also play the bad guy, against yourself, to uncover how much of your data is out there that you were not aware of.
Those tools fall under the OSINT (Open Source Intelligence) category.
Malicious actors have been using specially crafted tools to collect information (like the police have search tools across a number of databases) and data companies collect so much information about us that a lot of free tools (OSINT) can be used to collect that information. So, what does an innocent individual have in their arsenal to defend himself? Knowing what information is out there using OSINT tools.
I’ve tried some of those techniques with my clients to prove how an individual can be targeted and profiled online with cybersecurity tools. Some of my customers have realized how easy is to get hold of that information and started being more aware.
Your digital footprint comprises every email you’ve ever sent, every post you’ve shared on social media, or every picture you’ve taken and uploaded on Instagram.
You know what they say about the internet, once it’s online, it can never be completely erased. Your digital footprint also contains everything you aren’t aware that you’re doing online. For instance, every time you agree to let a website store your cookies and digital information or your IP address gets stored somewhere, you’re adding to your digital footprint. One way to think about your digital footprints is to categorize them as either “active” or “passive.”
- “Passive” footprints are those you leave behind without intending to, or in some cases knowing. For instance, websites that collect information about how many times you have visited in the recent past are adding to your digital footprint in a “passive” fashion. You don’t choose to hand them this data, they collect it when a device at your IP address connects with their websites. Because this is a hidden process, you may not realize it is happening at all.
- “Active” footprints are those you leave when you make deliberate choices on the Internet. Posts you make to your own social media channels are a well-known form of the active footprint. When you are logged into project management or a similar site, changes you make that are connected to your login name are also part of your active footprint.
How to find yourself in 3 steps
- Enter your name into several search engines. - use google, bing, yahoo or if you want to be hidden use duck duck go etc… if you want to know what an individual without log-in knows about you use google chrome in hidden mode
- Use our search tools like ThatsThem or PiPL or SPOKEO (paid service: https://www.instantcheckmate.com/ or www.beenverified.com) or check what is on your social media using FB People Directory or Facebook Email Search if you just have a personal e-mail (yours)
- Check the location you’re sharing on social media with Creepy or how much you’re sleeping Facebook Sleep Stats
Some consequence of identity theft
- A good example story of a person who got his identity stolen Bennett Arron and made a stand-up of it.
- Identity profiling can lead to very targeted phishing campaigns and ultimately result in damage to companies and individuals as it happened to these two C-Levels.
- Burglars target households when people are away. How do they know? Simply watching social media activity or another example .
- A fraudster can collect information from a bank account using the statement that you trash. They can call you and impersonate the bank. In those case always hang up and call directly the bank number.
Now let’s fix this…
15 Steps To Prevent Your Identity From Being Stolen
Consider whatever you post on social media, a good example is considered what you post on social media as being displayed on a big print on the side of a building.
- Use Strong Password (8-11 characters) if you find them difficult to remember to use a password tool like 1password.
- See if your credentials have been leaked in one of the many credential leak (LinkedIn, Dropbox, mail etc…) check on HaveIbeenPwned.
- Use different username and password across social media (CheckUserNames finds the same username across different media). Try to use a variation of your name in social media unless you want to be identified.
- Remove metadata from the image in Windows and Mac Android or Iphone. JPEG image has a lot of information including the location where it was taken. This can be used to track where you are at a particular date in time. The information gets also read on social media. Nonetheless, only a few social media preserve the EXIF (photo metadata) details. This means that when a picture gets downloaded it will not contain Geotagging and other details.
- Disable sharing location on social media apps or directly on your phone (iphone or android).
- Double-check your privacy settings, but don’t trust them. - Share material only with a specific individual (e.g. a picture of your kids, where you go for a holiday when you are away).
- When moving apartment use redirection services. Royal Mail and other postal service offer a redirection service. Consider it when moving houseIf you move house, also inform: your bank, the credit card company, Utility bill providers and other organizations that send material by post
- Be mindful of people that might have access to your post (left in open place, on the patio or in the trash): Contact Royal Mail or other post providers if you think your post is being stolen. Check whether a mail redirection order has been made in your name without your knowledge.
- Be mindful of document you trash that might contain sensitive information. Everyone gets access to the bin. Also be mindful on recycling paper that contains confidential information. Get hold of privacy ink (like this one). Shred paper with a shredder like this one or shredding scissors
- Verify credit score to see if your identity has been compromised to open a new credit card or another line of credit.
- Setup Google alerts when new information about you appears: www.google.com/alerts. This will notify you if suddenly your name appears where it shouldn't
- Service from Experian and similar are paid services that help to track identity use or whenever someone opens a new line of credit in your behalf
- Get access to your credit score (Experian, Equifax need to issue a free report per year). or use Credit Karma (contains ads). Please note that those companies have had breaches in the past (Experian breach, Equifax breach).
- Brose safely in public places by using privacy screen on your devices (Privacy screen mac or iphone or android-Samsung)
- When connected in public places use VPN to prevent profiting from the local WiFi or from a possible rogue WiFi hotspot. Some of the top VPN services or also listen to the advice from Nick Espinosa on VPN
More and more companies are becoming data companies, there is no way of stopping this process. The only defense method that we have is being aware of the information used and as a general principle consider whatever we share online as being publicly available.
This is particularly true for kids unaware of the danger of the internet. Pass this message down to them and make them aware of the danger, my advice is to turn this activity into a game for them or this message will never be absorbed This article forms part of the awareness and activities we do as part of the Cloud Security Alliance and as Director of Events of UK chapter, I’m proud to be part of. Also, this activity is endorsed by the ISC2 and aligned with their core principles.
Something more advanced:
While there are tons of public resources for getting information about any individual or organization, they are spread throughout different parts of the internet, sometimes mixed with security tools and data intelligence utilities. That’s why the OSINT Framework plays such an important role.
About the Author Francesco Cipollone
Francesco Cipollone is a cybersecurity consultant helping NSC42 customers, companies and executives secure themselves online. NSC42 clients often get profiled and targeted by spear phishing. NSC42 will shortly be launching a service to protect our customers identities and visualize their digital footprint in the near future. Connect with me on LinkedIn, Twitter @Franksec42 or get in touch via e-mail Francesco.cipollone (at) Nsc42.co.uk if you want to know more.