Why cybercriminals are stalking your social media accounts

Why cybercriminals are stalking your social media accounts

Are people giving away too much about themselves that it could come back to hurt them? The programme Why It Matters discovers how easy it is to extract personal information from social media posts and even name cards.

Do you post your running routes and mirror selfies on social media? Know that it could tell cyber criminals where you live, and more.

SINGAPORE: Just from his social media posts, it was easy to pin down radio deejay Joakim Gomez’s running route, the street he lives at and even the layout of his home.

This came as a surprise to the 987FM radio personality, who had thought “it was harmless information I was sharing about myself”. He declared: “I might just think twice before I post something at home.”

Like many Singaporeans, Mr Gomez is active on social media. He posts live updates on what he’s doing, tweets almost every day and shares pieces of his life with nearly 60,000 people who follow him on Instagram, Twitter and Facebook.

But he was revealing more than he realised.

Joakim Gomez looking at board with information about him pulled out from his social media posts.
Radio deejay Joakim Gomez looking at board with information about him pulled out from his social media posts.

Many people are similarly unaware of the extent to which someone with nefarious intent can extract all sorts of information about them from their social media posts, the free Wi-Fi they connect to or something as innocuous as their name card, as the programme Why It Matters discovers. (Watch the episode here.)

JUST A LITTLE SOCIAL MEDIA SLEUTHING

Three-quarters of people in Singapore actively use social media on mobile, according to Hootsuite’s We Are Social report last year on global digital trends. By social media penetration, based on monthly active accounts, Singapore ranks third in the world.

In an increasingly cyber world, it is hard to avoid being online. But people often give away parts of themselves unwittingly by allowing people to view, download and share their thoughts, pictures and videos each time they post something.

With a little social media sleuthing, Why It Matters host Joshua Lim was privy to a ton of personal stuff about Mr Gomez – like date of birth, religion and even broadband subscription – before they met.

Joakim Gomez and Joshua Lim looking at information on the deejay pulled out from his online posts.
Mr Gomez with Mr Joshua Lim.

But it was the tracking down of Mr Gomez’s housing precinct and being correct on where his room, the hall and the window were – from pictures he posted – that ruffled him somewhat.

“To actually get the layout of my house and … almost get my address correct – that one’s a little scary,” he said. “So this is a cause for concern.”

It is potentially a security issue too, as he sometimes tells his listeners when he would be away from home and overseas.

He shares a lot online to connect with his listeners, but he has now begun to think about whether he has overshared in terms of where he lives.

A tweet posted by radio deejay Joakim Gomez on Oct 1.
Mr Gomez tweeting on Oct 1: "Wanting privacy on social media is like wanting to walk in the rain without getting wet. Exercise vigilance."

NOT JUST A NAME CARD

People often do not think about the information on their name cards either, but these contain personal details like the person’s name, email address and, sometimes, personal mobile number – which can be the starting points for criminals.

To illustrate, armed with just Mr Lim’s name and email address, cybersecurity company Horangi found his social media accounts, and pieced together his profile.

Horangi cyber operations consultant Cheng Lai Ki found out where Mr Lim lives, his family background, the model of his mobile phone and even where he went on his honeymoon. This is called open-source intelligence, publicly available information about someone.

Name cards contain personal details that can be the starting points for criminals.

Photos of one’s honeymoon destination may be harmless, but what Mr Cheng warns against is to post pictures of one’s mobile phone.

“Knowing the make and model of somebody’s mobile phone, a hacker can essentially log into it by identifying the vulnerabilities it has,” he said.

“Once they have access to your phone, they can read your emails (and) your text messages. They can access your contacts … your camera (and also) know the phone’s location.”

Given enough time, a hacker could find out where that person lives, from the pictures on his phone.

Horangi cyber operations consultant Cheng Lai Ki pieced together a profile of Mr Joshua Lim.
Horangi cyber operations consultant Cheng Lai Ki pieced together a profile of Mr Lim.

Mr Cheng advised individuals to be aware of what they post, especially with regard to photographs taken in the workplace, where there may be documents strewn on the desk or information on the computer screen.

NRIC MISUSE

There are other ways in which people could be making themselves vulnerable to criminals. One is through the National Registration Identity Card, which contains an individual’s NRIC number, besides other data such as full name, photograph, thumbprint and home address.

The card can potentially unlock large amounts of information related to the individual, such as his medical records, bank records and income statements, according to the Personal Data Protection Commission.

The NRIC can potentially unlock large amounts of information related to the individual.

This opens up the dangers of identity theft and fraud.

In the past 14 years, there were three incidents of NRIC misuse. For example, in 2005, a woman withdrew S$50,000 from her friend’s bank account by showing her friend’s NRIC to the staff, convincing them that she was the real deal.

But from Sept 1, organisations cannot collect, use and disclose NRIC data indiscriminately, and will not be allowed to make copies or retain the cards.

READ: Organisations have to stop unnecessary collection of NRIC details from September 2019

ROGUE WI-FI NETWORKS

Another way in which people can open themselves to an attack is through Wi-Fi.

A hacker can set up a rogue Wi-Fi network in public, and once people connect to it, he can see every password they enter and every email they send.

Once people connect to a rogue Wi-Fi network, the hacker could see every email they send.

He can also access their contacts and documents in what is called a “man in the middle” attack.

To get free Wi-Fi, people are sometimes asked to download an application first. But a hacker can use this app to access their location via GPS, record their conversations and access their camera and photos – all without them knowing.

According to cybersecurity firm Checkpoint Security, personal data is valuable and can be sold in online black markets. For example, an individual’s passport details and credit card information can sell for about US$30 (S$41).

It costs about US$9 for the records of 3,000 IDs or driving licences on the dark web.
It costs about US$9 for the records of 3,000 IDs or driving licences on the dark web.

PHISHING FOR INFORMATION

Finally, phishing is a form of fraud where an attacker pretends to be a reputable person or entity to induce individuals to reveal information such as their passwords and credit card numbers.

In Singapore, victims lost at least S$43 million in email impersonation scams in 2017 – a 70 per cent spike from 2016. There were 328 cases in 2017, nearly a 30 per cent jump from 257 cases in 2016.

READ: S$99 million lost to scams in 2017: Police

Most of the victims were businesses deceived into transferring money to fraudulent bank accounts.

In Singapore, victims lost at least S$43 million in email impersonation scams in 2017.

Mr Wan Ding Yao, the president of Singapore Management University’s White Hat Society, advises against filling in financial information when asked to do so, as many reputable companies would not ask for such details simply by email.

“Always check, either through Google search or just contacting the company, if you’re unsure and if the information asked of you is of great sensitivity,” he said.

In the book, “Fake it! Your Guide to Digital Self-Defense”, the authors suggest people share their real identities only for official purposes and switch to pseudo-identities for sites and services that they do not want mining their real data.

This means using a fake name, birth date, email and even disguising oneself to avoid facial recognition.

While this might conflict with the terms of service of social media sites like Facebook, which states that users should use their real name, the authors advise readers to “disregard that” because “privacy is more important”.

Watch this episode of Why It Matters here. New episodes every Monday at 8pm.

The book, Fake it! Your guide to digital self-defense, advises: Use pseudonyms for the private you.
Advice from the book, Fake it! Your guide to digital self-defense: Use pseudonyms for the private you.

Source: CNA/dp

Bookmark