Innocently providing your name at your local coffee shop is just an example of how easy it can be for miscreants to cut through the ‘privacy’ of social media accounts
When Starbucks introduced personalising the coffee shop experience by writing their customer’s names on their coffee cups people felt violated. Why on earth would a coffee chain want to know your name?
Once coffee drinkers came round to the idea that the baristas were demanding their names, then began a wave of uproar across social media for those with names spelt incorrectly. Admittedly, it would increase the queue length if each time you were asked how to spell your name – “is that with or without an E”. There is a theory that this misspelling is actually on purpose so people will turn to social media with a photo of their branded coffee cup to complain about their barista not knowing how to spell “Bob” or whatever ‘straightforward’ name they possess.
Anyway, once you have given your name to the barista (and any prying ears in the queue), you are giving away something very personal to unknown entities. It might not feel that significant at the time as you wait for your skinny-single-shot-sugar-free-vanilla-latte but giving away anything personally identifiable could ultimately be used against you.
Starbucks don’t ask for ID so should we think of a pseudonym or a code word instead? Here is a real-life example why you should at least think about making up a new name…
Recently, whilst on the train to London, I was sat behind a man accompanied by a laptop and a personalised coffee cup. He opened his laptop and signed in (it was not full disk encrypted I hasten to add, tut tut) and I could see a company logo physically on the laptop and as the desktop background: I couldn’t read every word but I knew the company well enough to recognise it. Now, added to the fact I knew his first name, I could start my open source research on him.
Within moments of searching his company on Google, I found his full name on the firm’s ‘About’ page, complete with head shot and bio. Next, I turned to LinkedIn (using my limited second profile to reduce personal tracks which would tell him I’ve been snooping on his page and to help me bypass the first or second contact information checkpoint) and located his career history. LinkedIn also offered me his personal email, twitter handle and hobbies from his bio once I had connected with him on the site.
Switching to Twitter, I located his contacts, family connections and even children’s names. His wife’s Facebook was open and included lots of photos of their two pets. She seemed very proud of their wedding photos and dates (albeit I didn’t have the year just day and month).
Moving to Strava, a fitness activity sharing app, I was able to put in his name and locate his profile showing me his recent run and cycle routes. The thing about Strava, and other fitness logging apps, is that they show anyone recent routes so when most people start and finish their training at either their home or work address, it tells the world where they live and work!
With his daughter’s name, I moved to Instagram. Although her account was private, it took less than half an hour to befriend her from my fake account (you would be surprised how few background checks teenagers do on accounts wanting to follow them). Wading through the endless selfies and food photos, I was able to find a happy birthday photo to her Dad plus a rather significant happy anniversary message to her folks, which now gave me the year of his wedding too.
To top it off, while I was watching him work, he was noticeably having fingerprint issues with his phone so after each unsuccessful attempt to unlock his screen, he would then revert to typing in a 6-digit code which I could view. This was his first daughter’s date of birth: That would have been my second guess after his wedding anniversary.
At this point, many people are possibly thinking “who cares?” or “what can a hacker really do with my information?” This attitude is what’s getting many people into trouble with their cybersecurity. Whilst banks are reducing how often they refund such instances, the problem will only increase. Hackers can and will make your life a misery using targeted attacks.
Even if you are sitting there thinking that your security is foolproof, what information is given away via your family and how good is their security? If your partner’s email got hacked and you received an email from him or her asking a relatively normal question like “what’s our banking password again, darling?” Would you be tempted to respond or would flashing lights and alarm bells go off?
So how do we overcome this issue? And how long before the banks don’t even chase any of the money that has been unfortunately swindled?
Awareness training has limitations and e-learning rarely benefits a company, so the answer lies fundamentally in shifting culture. Making people aware is one thing but making them better is another. For example, we all know not to reuse passwords, but so many people still take that risk every single day.
People don’t change very easily and when people don’t care about the issue, it makes it harder to persuade them not to fall into potential pitfalls. If I spin the argument around I think the answer could in fact lie with the cybersecurity industry itself: companies who make it compulsory to use a unique password and authenticator app to sign in, would soon give their data and networks a stronger defence.
Inevitably, there will be an immediate outcry from and torrent of angry tweets by inconvenienced customers. However, if people don’t change by choice, making security mandatory will soon make companies and their customers much safer, without having to worry about splashing our data on our personalised coffee cups.