It's August and for much of the world that means it is vacation time. In recent days I've seen ample evidence of this as people have tweeted, posted on Instagram and otherwise announced their vacation plans to the world. In many cases they even provide play-by-play updates. While sharing this information with friends can be fun, these details are being broadcast to a wider audience that is not well known to vacationers, if at all. And this is where the danger lies: Crooks are increasingly finding social media to be a criminal intelligence gold mine.
Advertising one's vacation plans is like sending out a notice to criminals that your home may be unoccupied. You may have plans to have the mail picked up and even timers on the lights to make it appear that someone is home, but widely announcing that you will be gone for a week or two is an invitation for criminals to pay a visit. This can be compounded by people posting photos of all their nice belongings on other social media and by either listing their address or having loose privacy and location settings that reveal exactly where the photos were taken. These posts not only tell criminals that the house is vacant, but also show what is worth stealing and where the house is.
Unfortunately, with the explosion of social media, more people are increasingly, and unwittingly, providing this information to anyone who is watching. I have seen colleagues who have thousands of followers on Twitter (and certainly they do not know all of them) announce they are not home by posting that they have arrived in airport X or announce that they are going to attend a conference in city Y for a week. They even tag the locations they are posting from. When I see such a post, I grit my teeth because I imagine a criminal thanking them for the information that their house is vacant or that their wife and small children are now home alone. If one wants to share these details on social media, it is far better to do so after the fact rather than before or during travel.
But such compromising information is not merely confined to vacation or other travel plans; it also applies to social media posts that give malefactors notice that a person will be at a specific location at a determined time. For years we've been advising people against setting patterns in their daily routine that criminals or terrorists can use to plan an attack. These warnings apply equally to social media.
I have many friends, including several who are female, who post on social media every time they check into the gym. I realize that they are proud of their commitment and like to encourage their workout partners, and that the gym encourages check-ins as a form of advertising — but such information can make it easy for a rapist or stalker to identify their patterns and plan an attack. Now, certainly someone targeting a woman can develop this information in person, but to do so a criminal would have to conduct physical surveillance, leaving him vulnerable to detection. Posting so much information on social media makes the criminal's work much easier. Because of this I caution friends — no matter their gender — against posting this data on social media.
The danger does not relate to just women. I recently had to talk with a family member who is a police officer and who was having his Fitbit wrist band post his running routes and times on his Facebook page. This is incredibly dangerous for a cop who has arrested hardened criminals — especially in this era when police are being targeted for attack. A run is a great time to assault police officers, because they will not be wearing their protective vest, are probably unarmed and may not be practicing good situational awareness — especially if running with earphones. When I explained this to him, he said that he carefully monitors whom he connects with on Facebook. However, providing this type of granular information is still a dangerous practice when you can't guarantee how secure your friends' accounts are and whether they use robust passwords. Also, there have been numerous cases of stalkers and other criminals using fake accounts to work their way into a target's social media circle. Beyond that, if you post something on social media, it doesn't matter how closely you monitor your connections, there is always a way to find it. Based on these facts, I was able to persuade him to stop posting his running routes and times.
These are but a few examples. Apps and sites continue to multiply as do the number of smartphones, watches and other devices that interact with social media. Most people simply do not realize how much information they are posting to the internet and how that information can be collected and used to target them. While there have been some highly publicized cases of social media being used to prey on celebrities, ordinary people simply don't understand that the threat also trickles down to them too.
So far, we have been focusing on physical world criminals, but cybercriminals can also use information provided carelessly on social media. These threats come in a variety of forms, including identity theft, credit card fraud, email scams and phishing attacks. For example, a cybercriminal could see a social media post that a person is on vacation in Mexico and then send an email to everyone on the poster's contact list saying he was in an accident and needed an emergency money transfer.
In addition to consciously limiting what they post on social media, people should also develop a detailed understanding of how much of their personal information is available on the internet. The hacker community uses the term "dox," short for documents, to describe the process of sweeping the internet for information on a person. In hacker practice, this information is normally published to publicly identify and embarrass the person being doxed, but this practice can be quite useful for people to do to themselves. By doing this, they can become aware of what a criminal can uncover. This process not only serves to help reveal personal vulnerabilities, but it can also be used to identify gaps in the information required to conduct a crime or attack. Information drives the criminal and attack cycles, and I've written about how identifying and being alert to those gaps can be used to protect against attack. Not only does this concept apply to governments or corporations, but it can — and indeed should — also be used by individuals to protect themselves.