Mark Lanterman | September 22, 2017
In my last article, I discussed the dangers of doxxing and how it can be used to target unsuspecting individuals. Doxxing is essentially the buying, selling, and using of personal information found online, typically with malicious intent. Doxxing-related crime is frequently assisted by the utilization of personal information reseller websites, often containing the personal information of people that aren't even aware it has been posted.
This kind of information may include past and current home addresses, workplaces, and phone numbers. All kinds of information about a person may be publicly available without his or her knowledge.
In today's world, huge amounts of personal information are created and stored, and it's often difficult to manage who has access to our info. While some people take a proactive approach to removing personal information from online sources, others are much more nonchalant. In fact, many share personal information of themselves through social media.
As a cyber security expert, I often feel I am stating the obvious when I give the tried and true advice, "Don't post private information on social media." It seems pretty straightforward and maybe even a little too simplistic to be considered cyber security advice. The issue is, though people tend to always shake their heads in agreement and understanding, it would seem that there is always a degree of confusion as to what "private information" actually means and how important it really is to keep it safe.
As an example, some people like to post pictures of their passports online on any number of social media sites. A lot of people post this kind of photo to share their excitement about an upcoming trip or to memorialize expired passports before obtaining new ones. It may seem harmless to do this. Surely, no one is really that interested in a passport?
Wrong. With just some of the information spotted in a photo, tests have shown that a lot can be done with shared passport information, including the ability to change future flights and figuring out a person's travel schedule. Photos that contain a passport's barcode are especially problematic as these barcodes may be scanned using readily available applications (and may contain more information than is printed on the actual paper copy). In addition to figuring out someone's travel plans, information gleaned from a photo can also be used, at least in part, to obtain access to someone's frequent flyer numbers and associated accounts.
In the same vein, I have seen people post photos of their driver's licenses (especially new drivers), marriage certificates, house deeds, medical records, and one person who got right to the point and posted a picture of her credit card (and posted the three-digit security number on the back of her card in the comments). When it comes to wanting to share, people often feel very safe about posting private information, everything from documents to credit cards, on social media.
So, with the rise of doxxing-related crime and the value of personal data, why are some people so willing to post private information, especially when certain acts of cyber crime, like spear phishing, rely on personalization for their success? I think a lot of it has to do with the attitude of "it won't happen to me."
For some, I think it's hard to believe that anything bad could really happen because you post a picture that happens to contain some private information. I also think that as the digital world becomes an even more ingrained aspect of our society and way of thinking, some users are simply too young or inexperienced to understand the full scope of the consequences their online behavior could potentially have. Furthermore, within this seemingly anonymous space, the tendency is to overshare, especially when it feels like only your friends are interested in what you post.
Without guidance and an appreciation for the "real life" implications, it's very possible that posting personal information doesn't seem like that big of a deal because it feels like everyone's doing it anyway. Though some may not like to think so, social media is a huge responsibility, and knowing what is and what is not appropriate to share takes time to learn.
With this in mind, an initial and very easy step to strengthen your cyber security posture (and the cyber security postures of your family) is to make sure that personal identifying information is never shared on social media applications. And if it has been shared, remove it. This may include the types of sources I listed above, but it also includes any information related to your address, your phone number, your email address, and those belonging to your family and friends. The rule of thumb here is that if you don't want a complete stranger on the street corner to know the information, you don't want to share it on the Internet. If you wouldn't give your phone number to anyone who asked for it, don't share it online either.
In a digital world where information is always at our fingertips, and as a society we tend to want to share everything about our lives on social media, it's important to think before we post. It may be tempting to think that nothing bad will happen, but it is always best to be cautious. Minimizing, or completely refraining from, the posting of sensitive information is a great step toward limiting your personal risk and decreasing the possibility of becoming a target. So, while a beautifully filtered snapshot of your passport may seem like the perfect thing to share in anticipation of your trip to Barbados, it's probably better to keep it to yourself.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.