Ok, so Apple’s iCloud is in the news for data breaches, Facebook is constantly in the news with privacy issues; other social media sites get hammered by the media on a regular basis and let’s not forget that in the absence of a good story, the media itself will hack your phones to look for one.
The problem is that it is not necessarily the providers that represent the weak link; but the people who use them, the service suppliers such as banks, and the processes they use for security.
If you want to know personal data, simply ask for it
A few weeks ago, I stood in a queue to be served by a travel agent who was exchanging currency. The person in front of me quite happily announced his home address, date of birth and bank details to everybody else in the queue.
All that was missing was his mother’s maiden name and anybody else would have enough information to call the bank, discuss the account and make any changes as necessary – or even to apply for a credit card in his name.
Enter the noisy neighbour
All this may seem a little paranoid, but recent events made it clear to me just how easy it is to glean personal data without breaking any laws or hacking anything. Just look properly.
For months our home lives have been disrupted by an ASBO neighbour who likes to announce her presence with loud music regardless of how many people are inconvenienced by it.
In our latest complaint to the authorities we were asked if we knew the name of this person. We didn’t know anything about them other than there were three people living in the house, and obviously the address itself.
As it turned out, that was all we needed to produce 2 generations of family tree within one hour – and it took very little effort and only using publicly available information.
Identifying the Residents
Online council records (publicly available; and not just from the council) identified the names of all the residents of the house for the last 14+ years. Currently they consist of one female aged 20-24 (the daughter), one female aged 30-34 (we’ll call her mum1), and one male aged 40-44 (we’ll call him dad).
Dad had the same surname as mum, but daughter had a different surname and was too old to be the daughter of mum1.
I needed more information to piece tis together, so I looked through older records of residents and discovered that previous occupants included a son (aged 20-24) with the same surname as the daughter, and a mum2 (aged 50-54) with the same surname as dad.
Building the family tree
This was going to take some putting together because there was obviously some complicated relationship going on here; so I decided to use some free genealogy software to map it and turned to social media to look for answers to the different surname conundrum.
A quick google identified a handful of females in the area with Facebook accounts and the same name as daughter. Looking at the photos on Facebook quickly identified the daughter and she had her profile set to public.
So, despite all the possible security settings in Facebook – this account was wide open.
A quick dig around quickly revealed that mum2 was the true mother; a birthday cake and greetings revealed daughter’s exact date of birth; and wedding photo’s revealed her mother’s new family and the date and place of the wedding.
Mum2’s Facebook account was friends only which meant that I could not view it. No photo’s, no visible friends. In fact, Facebook had that account tightly tied down and she was making good use of the security. One post on her timeline was visible, however, and it had 20+ likes – and I could easily see every person who had liked that post.
Within 5 minutes I had identified several people who were related to mum2 and who revealed in their own posts, pictures and likes all the information that mum2 had hidden with her security settings.
I was slowly piecing together all the information to explain this complicated household, but I needed a bit more information. There was no tangible relationship between mum1, son and daughter and she had no social media accounts.
A Duedil check revealed more information about mum1 – full name, year of birth and nationality and directorship of a business. Likewise dad was a director of a business with accountants on the South Coast – whilst he lived up north.
Now for some Genealogy
Finally, we move on to the Genealogy sites and we can build the whole picture.
We identify that:
- dad is not related at all to son or daughter, and neither is mum1.
- mum2 is the mother of both son and daughter and son is living with her whilst daughter is living with stepdad and his new wife.
- mum2 has been married 3 times – first to son and daughters father, then to dad and then her latest man.
- dad in the meantime has been married twice – once to mum2 and now to mum1.
- dad used to live down south, now lives up north, but his accountants are down south.
- mum2 has lived up north all her life and had her children in the local hospital
- mum1 has moved over from abroad and only recently married dad
All I originally knew about these people was that daughter had made our lives a misery with her noise for over 6 months.
Within just one hour I had identified enough information for a criminal to steal this person’s identity – name, address, date of birth, mother’s maiden name, pets, friends, place of birth previous addresses etc.
No laws had been broken, no accounts had been hacked – I was simply using information that was publicly accessible to anybody.
The conclusion is quite simple: personal data is not safe on the internet; even if you put in all the controls that are available.
Be careful what you post on social media
Be careful what your friends post on social media
Don’t rely on your date of birth, mother’s maiden name or any of the other “default” questions to be safe security questions and answers.
Use two step security wherever possible and use information that is NOT used anywhere else.