Be careful what you share

Would you tell a total stranger your password?

The obvious reaction is: "Of course not!"

But look at this video. Some people just straight away tell what their password is when they're asked for it. Or they reveal it unwillingly by answering some simple questions.

In today's post I want to show you that the fact that we give away too much personal data can bring us in trouble and that these innocent looking questions in interviews, online surveys or competitions might not be so harmless after all.

Massive data collection and sharing by websites

This is an online survey from BPost, the Belgian post. Before taking this survey you get to see a banner in which they tell you that they will not only store your data themselves but also share it with other companies to "inform you about products". Read: "spam you with ads". Even if you read the privacy policy it's not clearly stated who these other companies are.

I started the survey just to see which kind of personal data they're asking for. As you can see in the right top corner the survey exists of 7 pages. In page 1 is the usual contact information.

And then it continues with "you and your family" and it only gets worse from there.

Please people don't fill in this kind of surveys. You're giving away a lot of very personal information and you don't even know who is storing this information. And this data can be hacked out of all these systems, without you even knowing about it.

Malicous intents

Companies that want to collect as much data as possible about you is only one of the issues. Online criminals use the techniques used in the video at the start of this blog as well, albeit much less obvious.

They try to harvest personal information via online games or quizzes that might look benign and ask for your favorite cars or the name of your favorite pet. But as we will see the answers to these questions might help them to break into your online accounts.

Sharing (sensitive) personal data on social media

Another major problem is that people like to share a lot of personal information on social media. People that do so are typically not the people that aware of the security and privacy risks and also the ones with the weakest online security practices.

If you share your date of birth and the name of your pet on social media and your password is the combination of the two for all your online accounts you might get into serious troubles. Or if you share your visa card details...

But what is the risk?

Even if the person had only shared the number of the VISA card and not the CVV number on the back of her card she already might had been at risk. Let's say this person has a PayPal account. And even when she had a strong password and multi-factor authentication enabled her account could have been taken over via PayPal's poorly implemented account recovery feature.

We also see that another account recovery option is to answer security questions. In the next screenshot you see the questions that you can configure for PayPal.

They are all easily to retrieve if you've shared this information online before.

PayPal is certainly not the only company with weak identity validation process at account recovery. The risks are unfortunately not limited to account takeovers either. Your personal data can be used to impersonate you and can help criminals to commit identity fraud.

General best practices

Let me list some general thoughts and best practices regarding data privacy.

  • If a product is free you pay with your personal data.
  • Only provide (sensitive) personal data when strictly necessary. This also applies for paper forms, keep in mind that the data you write on paper might end up in online systems.
  • If input fields are mandatory but the data asked for is not necessary to handle your request, enter fake data. As an example: an online shopping site does need to know your shipping address, but it doesn't need to know your date of birth.
  • Don't participate in online services, quizzes or competitions that ask for personal data.
  • Treat security questions that are used for account reset or recovery as passwords. Here you can find more tips on how to answer security questions.
  • Check the privacy settings of your online accounts and restrict them as much as possible.
  • You could adapt your profile information for existing accounts if that's possible. For instance remove phone numbers, date of birth or other data that is not necessary for the service to work.
  • Before you register for a particular service check what they do with your data. Terms of Service Didn't Read is a website that can be helpful in this case.
  • Install tools that improve your security and privacy.

Use these tips to protect your privacy in the best possible way.

That's everything for today. Tomorrow more actionable security tips. In the meantime, stay safe online!

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life