We all know not to share our passwords publically. Most people are smart enough not to share other identifying details publicly, like home address or date of birth, yet people keep doing all these and more, opening us to identity theft, harassment, and for the criminally-inclined, conviction. Here are some mistakes people make, sometimes commonly, without realising the implications.
Posting A High-Resolution Photo Of Your Hand and Unwittingly, Fingerprints
Drug dealer Carl Stewart, 39, from Liverpool, learned this the hard way when he posted a photo of some cheese in a local supermarket. . Police had infiltrated the encrypted criminal messaging service EncroChat where the photo was posted, and were able to identify the individual because the photo was high enough resolution to show his fingerprints.
Has anyone been framed based on recreated fingerprints? Not yet, but perhaps it’s a matter of time.
Posting A Photo of Your Mailing Address, Even With The Address Blacked Out
When Australian YouTuber (I guess we’re now calling them “influencers”?) communitychannel aka Natalie Tran posted the following tweet to her quarter-million followers, I knew right away she’d just shared her address with the world, even though she blacked out the address. Can you tell how?
— natalie tran (@natalietran) August 1, 2017
The Intelligent Mail barcode (IM barcode) at the top can be reproduced to send mail to her. It can also be entered into a reverse lookup site or software to get the mailer ID or even address if you’re crafty enough. Or just recreate the barcode, and put a GPS tracking keyring in the post and see where it goes.
In Natalie’s case, the story made The Sydney Morning Herald, a mainstream news publication, getting even more exposure, proving that journalists are ignorant of the fact that they may as well be sharing someone’s address. It’s surprisingly common.
Take this low-resolution photo posted on The Daily Californian which is too low resolution to make out an address, but clear enough to read the barcode.
Posting Your Boarding Pass
When former Australian Prime Minister Tony Abbott posted his boarding pass to his Instagram, hacker Alex Hope (aka mangopdf) took the challenge to see what he could do with it. At the time he was able to determine passenger:
- passport details
- phone number
- comments between airline staff
Alex tried his best to alert both the airline and former Prime Minister’s office of the holes in the system that exposed this information, which were fixed by the time he posted a full rundown of what he did. I highly recommend that article, which is both informative and a delightful, entertaining read.
As Alex points out:
“People post their boarding passes all the time, because it’s not clear that they’re meant to be secret”
Your or Your Child’s Citizenship or Residency Papers
As an Australian ex-pat based in the US, I get the pride in gainling permanent residency or aquiring local citizenship. Yet the frequency with which people publicly share documents with information that could be used for identity theft on Instagram and Reddit, closed but large Facebook groups (such as Australians in America), or with their many hundreds or thousands of Facebook friends, always astounds me.
If you are going to post a picture with high enough resolution to read one of these documents, remember to censor all fields that you sometimes get asked to verify your identity, including innocuous ones that anyone who personally knows you may deduce, like place of birth, full legal name, birthday, etc.
Most photos of identifying documents in a wide or medium shot photograph, such as an adult holding up a piece of paper are too low resolution to read the document. The common thing I see is people posting photos of their baby next to a full size (not passport or ID card sized) citizenship document. By all means post a photo of your baby with a cute onsie and perhaps a prop representing your country’s culture, but do remember to redact the document.
Posting A Photo or Footage of a Key
Keys for consumer-grade locks are easily reproducible, from even a photo. In fact, it’s probably a good idea to keep a photo of any important keys in a safe place, in case you ever need to reproduce them when in a bind.
Duplicating a key from a photo is easy, as explained in the below video.
A big no-no is posting a photo of a key online, which I have seen more than once to demonstrate an item’s size in an online for-sale listing. “Key for scale” may as well be enclosing a copy of your key for anyone to access your home. I have contacted several people over the years advising them to switch out their photo.
An extreme example of this involved a 2006 television broadcast of a set of prison keys in London, resulting in the production company being sued for £300,000. As one Reddit commenter pointed out, the large cost stems not from the cost of new keys and changing locks, but from the time involved in taking each prisoner out of their cell under guard for 30 minutes each.
Stupid Viral Questions
The common “secret question and answer” method of password recovery and the now-thankfully-dead method of password-hints were already deeply flawed long before there were viral memes asking you to publicly answer silly, fun questions. As the now-viral Facebook post by Alan Belniak points out, though nostalgic, and a way to engage with others, they’re actually handing out the keys to your accounts passwords. No matter how benign these seem, there’s always a chance an account you created years ago is protected by the answers you give.
This is called “Social Engineering” which CSO (Chief Security Officer) Magazine defines as
“the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data”.
Or to put it another way…
Location Identification Via Reflection…In Your Eyes
Scrubbing location data from your photo metadata might not be enough. In this truly horrific example that puts CSI to shame 21-year-old Japanese idol Matsuoka Shinan was attacked after a stalker identified her location. Not based on background information, or a convenient polished surface, but rather based on location clues he gathered from the reflections in her eyes in a selfie she posted at her local train station. He used Google Maps Streetview to determine the location, confirmed in person, then laid in wait for before he followed her home and attacked her.
Will red-eye reduction algorithms make a comeback to scrub or obscure reflections in our eyes? Probably not, as this was a truly extreme case involving a stalker, but it does make you wonder what’s next.
Protect Your Security With Further Reading:
- Anything written by or said by former hacker Kevin Mitnick