Introduction
With so much of our info available online and social media full of oversharing, it's more important than ever to know the implications of what you're sharing and how it can be used against you.
Malicious actors are always coming up with new tricks to target high-profile people, oversharers, those who aren’t tech-savvy, and those who are too trusting, so it’s crucial to stay vigilant and know how to protect your personal data.
In this three-part blog series, “Securing Your Digital Footprint”, we shall give an overview of the importance of digital footprints and relevant privacy risks in the age of social media, how digital footprints can be exploited by malicious actors, as well as best practice advice for securing your digital footprint.
Current digital identity challenges on the internet and social media
The Internet and social media have become huge parts of our lives, but the information they collect on us now creates its own set of challenges. Here are a few key issues that may be posed by our digital footprints:
Increased privacy risks
Sharing personal details online can make you a target for cybercriminals and can provide them with the information needed to craft tailored attacks. There’s the classic example of posting a photo with your password on a sticky note in the background, but there are many more cases in which small or seemingly benign details can be used for scary things.
You might know not to tag your location on social media, but there are other ways hackers can find out where you are. One of the easiest ways to do so is if you keep profiles on location-based apps such as Strava public, which leaves your running or biking routes publicly visible and can be used to trace your home address, your office (if you commute via bike) or your hotels while travelling.
Screenshot of a Strava profile; depicts someone’s commute via bike and reveals both their home and office locations
On photo sharing apps, refraining from tagging locations in your posts may not even be enough to prevent a malicious actor from learning your physical location. Most photographs with a sufficiently unique background or setting, especially when taken in the context of all other information revealed about the person from their social media, can be used to reverse engineer the exact physical location.
For example, a photo your daughter posts from her university dorm room with the view from her window included in the background can be used to find her exact room in the dormitory building, even if she hasn’t ever posted what university she attends – in all likelihood, one of her friends she follows or includes in her posts will have exposed such information on their profile.
A skyline view from someone’s dorm – using the perspective lines relative to the buildings shown through the window, you might even be able to determine the exact floor of the building this person lives on
Finding your home address could be done in a number of ways, some of which are relatively easy, such as searching online people search sites, or relatively more challenging, such as reverse engineering someone’s address from photos of the view from their home or apartment.
Once an attacker can find your home address, they can use that information to find plenty of additional information, such as identifying the car you drive from photos on Google Street View, the floorplans of your house from a historic realtor listing, specific contractors who’ve worked on your property from historic permitting records made public by your municipality, and more.
Detailed floor plan photos found online after determining someone’s address
Another category of information an attacker may try to learn about you is who you’re connected with – while your close family members may be identifiable using public birth records or people search sites, allowing your friends or following lists to be publicly viewable on social media makes it so friends and extended family members can be easily identified as well. Other publications about major events, such as wedding announcements or obituaries, can also yield such information.
Wedding photograph posted to Facebook revealing faces of parents along with friends and family members
Finally, contact information such as your email address or phone number are some of the most valuable types of information a cybercriminal could find on you. Your personal email may sometimes be revealed on your social media accounts if you’ve failed to limit its visibility, such as on LinkedIn. If someone finds your email address, they can immediately search for it in data breach records to find further information on you, such as your passwords, usernames, address, credit card information, social security number, or more.
Email address can be found on someone’s LinkedIn profile if they haven’t changed the privacy setting
The trickiest thing about this problem is that all information an attacker can find online about you can be used in connected ways to a multiplicative effect. Posting a screenshot of an email you received from your phone onto Facebook may seem innocuous, but from that, an attacker might be able to determine your personal email address and find out that you use an iPhone. From there, if they’re able to find your password in a public data breach record and you tend to reuse your passwords, they most likely can gain access to your iCloud account and wreak all sorts of havoc.
In this manner, each additional piece of information an attacker can gain from your digital footprint just makes it all the easier for them to find some way of exploiting you.
In our next blog in this series, we dive into how cybercriminals exploit the information in your digital footprint. Stay tuned for the next instalment.