Who’s looking over your shoulder? Protecting personal data requires some vigilance and basic tech savvy.
Many of us want to maintain social media accounts, store files online, and use search engines, yet keep our privacy. These are not necessarily mutually exclusive. But protecting personal data requires some vigilance and basic tech savvy.
Here are some tips to help keep your online footprint private:
1. Be careful with file-sharing services.
File sharing is a convenient way to store documents and collaborate, but it may not be the best choice for businesses that prioritize privacy. As Apple co-founder Steve Wozniak pointed out in a Q&A with Business Insider: “The more we transfer everything onto the Web, onto the cloud, the less we’re going to have control over it.”
Your IT department will be the first to tell you that there’s no way to reliably control employees’ access to shared files. Dropbox, a file-sharing service that’s popular with businesses, may leave your data vulnerable: Because companies cannot review a log of people who’ve accessed files, there’s no way to investigate who may have accessed it, in case of a leak.
A 2016 Motherboard article reported that hackers stole account information for 60 million Dropbox users. Luckily, Dropbox reportedly does not appear to be listed on any of the major Dark Web marketplaces where this sort of data is often sold. The value of this kind of data diminishes in value if it is adequately secured. And, in this case, Dropbox protects passwords with a strong hashing bcrypt, which would make it difficult for hackers to identify the true password.
2. Rewrite your [browsing] history.
Delete your Google or Yahoo search history. Google’s personalized search system uses your past searches to yield the most relevant results to you. Though not risky at first glance, this can influence the results of any open-source research investigators may conduct. And do you really want all that information about your searches, purchases, and map routes out there, being used for no telling what purpose?
To take it a step further, delete your cookies. Cookies are text files memorized by browsers that contain details on your particular website visits. You can also turn off the personalized search by clicking “Search Tools” > “All Results” > “Verbatim.”
To search more privately, consider using specialized search engines, such as Duck Duck Go (“DDG”). With DDG, you won’t get personalized search results, because it doesn’t collect any information about the user, no IP address or cookies. It also automatically points you in the direction of encrypted (ie. secure) websites. Users can also opt in to ad-free searches in advanced settings.
3. Social media accounts get hacked, too.
In 2016, it was reported that the data stolen from LinkedIn in 2012 was up for sale on the Dark Web. The information for sale included emails and passwords of 117 million LinkedIn users. The hacker who goes by the name “Peace” was reportedly selling the data on The Real Deal for 5 bitcoins (approx. $56,563.02 at the time).
Your Facebook, Instagram, and Snapchat accounts aren’t safe either. In September 2017, six million Instagram accounts were hacked, and hackers created an online database where cyber criminals could order private user details for $10 per search.
If you’re curious about the data that Facebook stores on you, download your data: if you go to your Facebook settings and click Download a copy of your Facebook data, you’ll see everything that has been stored about you.
https://www.facebook.com/settings
Check out your privacy settings and make sure you’re not oversharing with apps that you downloaded, and you can also see how advertisers potentially profiled you, by clicking on Privacy > Apps and Privacy > Ads.
Protect your privacy by making your friends list only viewable by you.
Some are going the extra mile and deleting their profiles entirely. Kevin Matthew, a former systems administrator who owns a small web developing company, created a script that takes deleting your Facebook profile to the next level, the goal being to “poison or obfuscate all our data such as timeline posts, likes, comments and other information that we have submitted to Facebook’s systems.” The script replaces posts, comments, and likes with random data five times, over the course of three months and lets the new data sit until it poisons your historical backup and anonymizes your data.
It should be noted that this is advertised as a proof of concept, as it violates Facebook’s terms of service.
4. Mobile payment apps are social media accounts, too.
When we think about social media accounts, we think of Facebook, LinkedIn, Instagram, Twitter, and Snapchat, but one we rarely mention is Venmo. And yet, Venmo contains a treasure trove of information, perhaps even more valuable than the aforementioned social media accounts.
Erin Mackey, Venmo’s spokesperson, told Marketwatch that Venmo’s social feed is why people logon to the app. “Our most active users check Venmo daily and the average user checks Venmo two to three times per week – and it’s not for payments, but to see what their friends and family are doing.” Users don’t appear to have their privacy in mind when making transfers. As a result, users have caught cheating spouses, and friends can keep tabs on each other. Privacy advocate and designer Hang Do Thi Duc released Public by Default, a site that taps into Venmo’s API and illustrates how much information can be collected on someone tracking their Venmo activity.
Sure, Venmo is a useful OSINT tool for private investigators (some accounts even disclose users’ friends lists), but it’s a little bit dicey for consumers who value privacy: The app shows your payment history by default. If you want to make your own account private, take the following steps:
Choose “Settings,” select “Privacy,” and change your default privacy setting to “Private.” You will be prompted whether you are sure you want to do this or make each individual transaction private. Hit “Change Anyway.” Under “Past Transactions,” click “Change All to Private.”
5. Go forth and browse, but do it safely.
All wi-fi is not created equal. It is not a good idea to bank online at a Wi-Fi café or in your hotel room even on your own computer. Your logon information can be easily intercepted, should there be someone waiting for you to make this mistake.
The same goes for banking online on your smartphone.
Here are some additional tips for browsing safely:
- I know it’s inconvenient, but you should use different passwords for every account you have; avoid using the same password for Facebook and your online banking account, for instance.
- Update your anti-virus and anti-malware.
- Use the most up-to-date internet browser; some of the updates are security-related.
- Change your passwords regularly and use alpha, numerical, and symbols if you can. The best option is creating a memorable passphrase, stringing a few words together. This would take millions of years for a computer to hack.
- Use an HTTPS connection. This helps ensure a secure connection to your social media account or email.
- Use a two-factor authentication.
- Check out https://haveibeenpwned.com/ to see whether your email address or associated accounts has been hacked and to receive notifications of any such occurrence. (OSINT tip: It’s also useful to check out websites your subject may have signed up for.)
6. Safeguard your personal data, obviously.
NOT using credit very often can also put you at risk. People who rarely use credit (such as minors and the elderly) are at higher risk for synthetic-identity fraud, a fast-growing type of identity theft that’s costing banks millions — and it’s extremely difficult to investigate.
In this type of fraud, scammers steal personal data (such as a SS#) and layer on fake information to create a new identity. They play a long con, spending months or years building a credit history for a fictional person. Simply applying for loans (even if denied) can add up to a sort of mini-credit history, a “credit file” which can graduate to become a legitimate-looking credit report. Armed with that, the fictitious person can qualify for credit cards and start racking up debt.
Then, of course, the nonexistent debtor disappears, AAIGH. “This is not a victimless offense,” said U.S. District Judge Mark H. Cohen, in a sentencing hearing. “This is basically abusing the credit system, of frankly, this country.” (Source: WSJ)
Individuals can be victims, too. If a thief uses your Social Security number to build an identity and commit fraud, the fallout can damage your credit or even cause you legal headaches. It’s tough to defend yourself against this kind of scammer. As always, destroy or safeguard documents that contain identifying information (especially your SS#), and never give out this information by phone or email — assume the caller is a scammer until they can prove otherwise. Watch your credit reports and Social Security statement for evidence of financial activity that isn’t yours. And open mail in someone else’s name that comes to your address — this could be evidence that someone is constructing an identity using some of your information, and that you may be a victim of a data breach somewhere.
If you have no plans to open a new credit account, consider freezing your credit. A credit freeze restricts access to your credit report to prevent identify theft or any misuse of your personal information. It protects you from the cost and disruption that can occur when identity thieves attempt to open new accounts in your name.
A version of this article first appeared on the B2B Investigations blog.
About the Author:
Talia Cohen is founder of b2b investigations, a privately-owned NYC and Miami investigations practice specializing in due diligence and complex investigations.
Sources:
“Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The Next Five Years,” by Seth Fiegerman (Business Insider, Aug 6, 2012).
“6 Reasons Why Dropbox Isn’t Secure Enough for Business,” by Josh Topal (Business 2 Community, Feb. 27, 2014).
“Hackers Stole Account Details for Over 60 Million Dropbox Users,” by Joseph Cox (Vice, Aug. 30, 2016).
“LinkedIn Accounts Hacked in 2012. Damages Coming Out Now,” by Anne Howard (The Scope Weekly, May 24, 2016).
“Six million Instagram accounts hacked: how to protect yourself,” by Matthew Field (The Telegraph, Sept. 4, 2017).
“#DeleteFacebook : How To Poison, Obfuscate And Purge Your Facebook Data Before Deleting Your Account,” by
“People use Venmo to spy on cheating spouses—it’s proving more effective than Facebook,” by Leslie Albrecht (Marketwatch, July 3, 2018),
“Synthetic Identity Theft,” by Julia Kagan (Investopedia)
“The Battle Against Synthetic Identity Fraud Is Just Beginning,” by Alan McIntyre (Forbes, Feb. 7, 2018).
“The New ID Theft: Thousands of Credit Applicants Who Don’t Exist,” by Peter Rudegeair and AnnaMaria Andriotis (Wall Street Journal, Mar. 6, 2018).