in

GoodGood

Don’t Post These Online

Common Ways People Accidentally Compromise Their Privacy and Security

Images from Alex Hope's article on Prime Minister Tony Abbott's flight details
Hacker Alex Hope (aka mangopdf) was able to use a photo of former a Prime Minister's boarding pass for all sorts of purposese.

We all know not to share our passwords publically. Most people are smart enough not to share other identifying details publicly, like home address or date of birth, yet people keep doing all these and more, opening us to identity theft, harassment, and for the criminally-inclined, conviction. Here are some mistakes people make, sometimes commonly, without realising the implications.

Posting A High-Resolution Photo Of Your Hand and Unwittingly, Fingerprints

Photo of hand holding cheese, with fingertips visible
Carl Stewart posted this photo, from which his fingerprints were analysed. Photograph: Merseyside police

Drug dealer Carl Stewart, 39, from Liverpool, learned this the hard way when he posted a photo of some cheese in a local supermarket. . Police had infiltrated the encrypted criminal messaging service EncroChat where the photo was posted, and were able to identify the individual because the photo was high enough resolution to show his fingerprints.

Has anyone been framed based on recreated fingerprints? Not yet, but perhaps it’s a matter of time.

Posting A Photo of Your Mailing Address, Even With The Address Blacked Out

When Australian YouTuber (I guess we’re now calling them “influencers”?) communitychannel aka Natalie Tran posted the following tweet to her quarter-million followers, I knew right away she’d just shared her address with the world, even though she blacked out the address. Can you tell how?

The Intelligent Mail barcode (IM barcode) at the top can be reproduced to send mail to her. It can also be entered into a reverse lookup site or software to get the mailer ID or even address if you’re crafty enough. Or just recreate the barcode, and put a GPS tracking keyring in the post and see where it goes.

In Natalie’s case, the story made The Sydney Morning Herald, a mainstream news publication, getting even more exposure, proving that journalists are ignorant of the fact that they may as well be sharing someone’s address. It’s surprisingly common.

Take this low-resolution photo posted on The Daily Californian which is too low resolution to make out an address, but clear enough to read the barcode.

Envelope with blurred address, but visible mail barcode
Photo by Josh Kaken, dailycal.org

Posting Your Boarding Pass

Tony Abbott”s Instagram post showing boarding pass, including booking reference.

When former Australian Prime Minister Tony Abbott posted his boarding pass to his Instagram, hacker Alex Hope (aka mangopdf) took the challenge to see what he could do with it. At the time he was able to determine passenger:

  • passport details
  • phone number
  • comments between airline staff

Alex tried his best to alert both the airline and former Prime Minister’s office of the holes in the system that exposed this information, which were fixed by the time he posted a full rundown of what he did. I highly recommend that article, which is both informative and a delightful, entertaining read.

As Alex points out:

“People post their boarding passes all the time, because it’s not clear that they’re meant to be secret”

Search for Dangerous Products on Instagram
There are over 125,000 uses of the #boardingpass hashtag on Instagram alone.

Your or Your Child’s Citizenship or Residency Papers

As an Australian ex-pat based in the US, I get the pride in gainling permanent residency or aquiring local citizenship. Yet the frequency with which people publicly share documents with information that could be used for identity theft on Instagram and Reddit, closed but large Facebook groups (such as Australians in America), or with their many hundreds or thousands of Facebook friends, always astounds me.

If you are going to post a picture with high enough resolution to read one of these documents, remember to censor all fields that you sometimes get asked to verify your identity, including innocuous ones that anyone who personally knows you may deduce, like place of birth, full legal name, birthday, etc.

Reddit posts that say I got My Citizenship"
Posts to Reddit with the title “I just got my citizenship” are a common trope, but harmless if censored or not high enough resolution to read the text

Most photos of identifying documents in a wide or medium shot photograph, such as an adult holding up a piece of paper are too low resolution to read the document. The common thing I see is people posting photos of their baby next to a full size (not passport or ID card sized) citizenship document. By all means post a photo of your baby with a cute onsie and perhaps a prop representing your country’s culture, but do remember to redact the document.

Posting A Photo or Footage of a Key

Keys for consumer-grade locks are easily reproducible, from even a photo. In fact, it’s probably a good idea to keep a photo of any important keys in a safe place, in case you ever need to reproduce them when in a bind.

Duplicating a key from a photo is easy, as explained in the below video.

A big no-no is posting a photo of a key online, which I have seen more than once to demonstrate an item’s size in an online for-sale listing. “Key for scale” may as well be enclosing a copy of your key for anyone to access your home. I have contacted several people over the years advising them to switch out their photo.

An extreme example of this involved a 2006 television broadcast of a set of prison keys in London, resulting in the production company being sued for £300,000. As one Reddit commenter pointed out, the large cost stems not from the cost of new keys and changing locks, but from the time involved in taking each prisoner out of their cell under guard for 30 minutes each.

Stupid Viral Questions

The common “secret question and answer” method of password recovery and the now-thankfully-dead method of password-hints were already deeply flawed long before there were viral memes asking you to publicly answer silly, fun questions. As the now-viral Facebook post by Alan Belniak points out, though nostalgic, and a way to engage with others, they’re actually handing out the keys to your accounts passwords. No matter how benign these seem, there’s always a chance an account you created years ago is protected by the answers you give.

Collage of posts asking coded security questions
Getting people’s answers to seemingly fun quizzes asking for personal informtion are a great way to gain access to their accounts.

 

This is called “Social Engineering” which CSO (Chief Security Officer) Magazine defines as

“the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data”.

Or to put it another way…

Stop giving people your personal info

Location Identification Via Reflection…In Your Eyes

Scrubbing location data from your photo metadata might not be enough. In this truly horrific example that puts CSI to shame 21-year-old Japanese idol Matsuoka Shinan was attacked after a stalker identified her location. Not based on background information, or a convenient polished surface,  but rather based on location clues he gathered from the reflections in her eyes in a selfie she posted at her local train station. He used Google Maps Streetview to determine the location, confirmed in person, then laid in wait for before he followed her home and attacked her.

Photo with eye reflections visible
Matsuoka Xiaonan’s location was identified by her stalker using clues from reflections in her eyes.

Will red-eye reduction algorithms make a comeback to scrub or obscure reflections in our eyes? Probably not, as this was a truly extreme case involving a stalker, but it does make you wonder what’s next.

Protect Your Security With Further Reading:

What do you think?

Written by David Frank

David Frank is a Seattle-based marketer, writer (co-founder of Good/Bad Marketing) and public speaker. Originally from Perth, Western Australia, he has also lived in the UK, Japan and Vietnam. He has a Master of Science in Marketing degree from Edinburgh Napier University, Scotland.

He tours talks on marketing for the general public. His current talks are:
- Dangerous Products: The History and Present of Products NOT Safe to Consume
- Sensory Marketing and the Subtle Science of Packaging
- Sex, Love & Marketing: How To Market Yourself On Online Dating Sites​
- How to Market Tobacco (Despite Those Pesky Advertising Bans)
Learn more at http://www.thedavidfrank.com/talks.html

In his spare time, David is an avid gardener. https://instagram.com/seattlefoodgardener

i lost my google my business profile

Google My Business/GMB/Maps Page Disappeared or Deleted?

worst brand mascots banner

The Weirdest & Creepiest Brand Mascots From Famous Brands