Thisis the Internet era, no doubt about it: general public meets infinite variety of information via countless virtual channels. World Wide Web pages, e-mail, online shopping, and virtual chat rooms bring Internet users together (and help set them apart) in technology-mediated interactions and communication.
But there’s more to the Internet than meets the eye. The grass is not necessarily greener on its hidden or unseen side as to every benefit that the virtual world brings to humanity there seems to be at least one matching negative aspect. Take communication, for instance. Where one aims for ease, one also gets a huge potential for personal sensitive info exposure. With each electronically-mediated interaction there’s a chance that someone other than the intended sender and recipient is compiling personal information-often for later, unrelated and even illicit use.
Putting together a person’s complete profile in just a few clicks
Say you want to build a person’s profile based on what’s out there on the net. Take your pick: pictures, videos, biographies, social networks profiles? Even better: emails, addresses or phone numbers? There are a lot of sites collecting and presenting this kind of data from various sources on the Internet. A quick search revealed at least 55 public sites collating information about users and exposing it to everybody.
Presented with such an opportunity, who can blame the spying business going wild? On a small, individual scale, you just look up data about a particular person, find it and simply read it to satisfy your curiosity. But what happens if you start to think big? There goes our bad (not worst) case scenario: a person can create a script that automatically extracts sensitive information about 1,000, no, make that 100,000 users and stores it in a database.
How is this possible? Aside from the technical advances that allow people to scour the net for such hidden treasures, there’s the simple fact that, at one time or another, people actually posted the respective info somewhere in the virtual universe. The psychological trigger behind this is that people generally assume personal sharing is essential to close friendships.( Wayne Weiten, Dana S. Dunn, Elizabeth Yost Hammer, 2011). Add the so-called online disinhibition effect and you’ve got the perfect combination for extensive self-disclosure. Derlega (1984) described self-disclosure as a dangerous act. When somebody shares personal information with someone else, he/she risks: indifference, if the other person does not care about it, rejection, if the interlocutor is turned off by the information received, or betrayal, if the interlocutor uses the information against the sharer.
This is why even though people/people’s friends willingly and publicly disclose information about themselves/the others, they don’t feel very comfortable when confronted with a full aggregate account of their disclosure. Remember the “Ron Bowes incident” and the reactions it triggered? The separate pieces of information involved in the incident were already public, but it was the first time more than 170 million of profiles were collected into a file that could be easily analyzed, searched through or used in any other way. As Ron Bowes himself explained, the idea was very simple: “spider the [Facebook] lists, generate first-initia-last-name (and similar) lists, then hand them over to @Ithilgore to use in Nmap’s awesome new bruteforce tool he’s working on, Ncrack”.
Isn’t that simple?
How do people react to this kind of sites collecting information about them? Not very well. Having scanned more than 250 complaints concerning their unjustified appearance on these “lists of shame”, the reasons for their discontent are very diverse: some people don’t want to appear on such sites because they might be mistaken for other individuals who have criminal records and who also happen to bear the same name, others consider they should not be there as they had not shared the collected personal information, but their friends had. And the list can continue.
Actually, the risks undertaken go beyond injury to personal reputation. Cybercriminals might collect information from these sites and use it against the listed people to make them believe they owe them money. They would even contact prospective victims’ families to collect fake debts using the datasets provided by these sites.
Based on the premises listed so far, a simple experiment was imagined: a notorious CFO from a very well-known company writes you an “official” letter asking about your personal information. Do you respond to his/her “certified” email? You might be inclined to, if the respective message contained his/her name, address and phone number, and if the provided email address were the real one.
Collecting personal information on top 100 Forbes CFOs
Is this hypothesis so far-fetched that it would stand no chance when put to the reality test? By simply accessing one site that collates personal information and searching for details on top 100 Forbes CFOs I managed to secure, in most of cases, the very elements that would have ensured a high rate of success for the phishing campaign referred to above.
One conclusion: while the decision making process behind private information disclosure is an extremely complicated process, likely to fail unless the right triggers are activated, the virtual worldappears to makes it easier in both directions. People are more willing to share because of their suspended sense of risk in the absence of social cues; cybercriminals are better equipped to trick their victims based on what info is made available about potential human sources of authority. A case of ultimate efficiency: beating the regular unwary users with other unwary, but more authoritative users’ weapons.
Bibliography and references
1. Derlega, V. J., 1984, “Self-Disclosure and Intimate Relationships in Communication, Intimacy, and Close Relationship, ed. V. J. Derlega. Orlando, FL: Academic Press.
2. Wayne Weiten, Dana S. Dunn, Elizabeth Yost Hammer, 2011, Psychology Applied to Modern Life: Adjustment in the 21st Century, Wadsworth Publishing
3. Ian Paul, 2010, The Facebook Data Torrent Debacle: Q&A, http://www.pcworld.com
4. Ron Bowes, 2010, Return of the Facebook Snatchers,http://www.skullsecurity.org/blog/2010/return-of-the-facebook-snatchers
Posted by Sabina Datcu