Recently a controversy erupted over Facebook Phonebook, an app that shares users’ phone numbers without permission. Generally, Facebook can only share your number if you posted it and made it public via your privacy settings. However, by synching with your smartphone’s contacts, this app can share a phone number that has not been published. (This link will show you exactly how to hide your number on Facebook, though it won’t prevent your friends from possibly sharing your number with Phonebook.)
All of this talk has led me to wonder: should I put my phone number online?
I don’t know about you, but I am really paranoid when it comes to putting my details online. I don’t just worry about the ultra-sensitive information, like bank details and card numbers. I worry about my identity, my name, date of birth, my address and my phone number.
I’ve given the issue some thought to try to work out what it is that I am worried about and whether I am being a little too cautious. After all, I have found it useful to look up my friends’ phone numbers on social media sites when my phone has let me down, so why should I withhold the same information from them? I am quite security conscious, so I probably have less to worry about than the average internet user.
But what might the average internet user have to worry about?
By far the most common threat is that which gives a criminal direct access to your finances. Your bank details can be stolen in a number of ways. There is no point in making it even easier by broadcasting your account numbers, card numbers or passwords. Other information, like your address and number, might be useful if it comes paired with your bank details, but they are not usually needed for criminals to make a profit from your account.
By social sabotage I mean anything that could ruin your reputation with your peers. You can socially sabotage yourself by allowing your boss to see a photo of you hosting a late night party in the office. Your (one time) friend can publish the picture without your consent. Both of these problems are common and they are a reason to be careful about who you invite into your social circles and of what you say and do.
A lesser problem is that your account is hacked and your reputation is ruined by an action supposedly performed by you. This is not as common. It is most likely to happen if you have immature friends, rebellious children or a jilted ex-partner and can be prevented by having a completely secret and impossible-to-guess password.
This is where you would have to worry about putting your address and phone number online. It is not very likely to happen though. It is most likely to happen as part of a banking scam and for that, as already mentioned, your phone number and address tend to be of secondary importance compared to your card numbers and account details.
The other thing you should know is that if anyone wants to find your address and phone number online, the chances are that they already can. It doesn’t matter if you did not publish them anywhere yourself. Phone directories are online and have been for some time. I found three services in Finland alone that claimed to be able to give me the personal details of people I know if I logged in to their services. For the USA, there are sites like Spokeo.
These sites do not only give out your phone number and address, regardless of whether you know their existence, but they often collate other data. They will tell other people what you have posted in Yahoo! Groups (the titles of these posts are visible even if the group is private). They will gather your date of birth, gender, relationship status. Some may even gather photos of you. Your house. Your children. Whatever seems to be related to you online.
All this information is out there already. These sites just make it easier to find. Most of the time no-one is going to use those sites and there is no need to worry. If you are paranoid then you can search for yourself and hunt down all the places your information is being leaked from. Usually the only reason to be this paranoid about your data is if you know that someone is out to get you! By this I mean that you are involved in a legal matter or that your livelihood relies on your reputation.
There’s a very small chance that this problem will occur to you as an act of sabotage. You’ll suffer the loss of information from your online accounts, finding it deleted one day. This is most likely to happen because someone who is very close to you is angry with you. If this is happened to you, though, it is the second thing you should consider.
Before you rush to accuse someone of tampering with your accounts be aware that it is far more likely that an error with the software or website you use has caused your data to vanish. Always check with customer services first or search the internet to see if anyone else has the same problem at the same time.
Do you hold a crucial place in a business? Are you a government official? Are you a rebel to a strict governmental regime? Perhaps you’re a celebrity? Have a stalker? Messy divorce? No? Then you probably won’t ever have to worry about this.
If you ever intend to answer ‘yes’ to the above questions then it is a good idea to become more security savvy. Reading this blog is a good start, well done.
If you can answer ‘yes’ already, then you might be one of the few who are justified in being really paranoid and withholding most or all personal details from the online world. At the very least, seek advice relative to your position.
If you’ve skipped to the end looking for a summary, then the answer to whether you should put your phone number (or address) online is:
It is probably online already, but that does not mean that many people will know where to look for it.
Finally, if you want to respond to this article, please don’t call me! Leaving a comment on the blog will do nicely.
CC image by nathanmac87.
Everybody probably agree that the net has developed a discussion culture very different from what we are used to in real life. The used adjectives vary form inspiring, free and unrestricted to crazy, sick and shocking. The (apparent) anonymity when discussing on-line leads to more open and frank opinions, which is both good and bad. It becomes especially bad when it turns into libel and hate speech. What do you think about this? Read on and let us know in the poll below. We do have laws to protect us against defamation. But the police still has a very varying ability to deal with crimes on the net. And the global nature of Internet makes investigations harder. Most cases are international, at least here in Europe where we to a large extent rely on US-based services. This is in the headlines right now here in Finland because of a recent case. The original coverage is in Finnish so I will give you a short summary in English. A journalist named Sari Helin blogged about equal rights for sexual minorities, and how children are very natural and doesn’t react anyway if a friend has two mothers, for example. This is a sensitive topic and, hardly surprising, she got a lot of negative feedback. Part of the feedback was clear defamation. Calling her a whore, among other nasty things. She considered it for a while and finally decided to report the case to the police, mainly because of Facebook comments. This is where the really interesting part begins. Recently the prosecutor released the decision about the case. They simply decided to drop it and not even try to investigate. The reason? Facebook is in US and it would be too much work contacting the authorities over there for this rather small crime. A separately interviewed police officer also stated that many of the requests that are sent abroad remain unanswered, probably for the same reason. This reflects the situation in Finland, but I guess there are a lot of other countries where the same could have happened. Is this OK? The resourcing argument is understandable. The authorities have plenty of more severe crimes to deal with. But accepting this means that law and reality drift even further apart. Something is illegal but everybody knows you will get away with the crime. That’s not good. Should we increase resourcing and work hard to make international investigations smoother? That’s really the only way to make the current laws enforceable. The other possible path is to alter our mindset about Internet discussions. If I write something pro-gay on the net, I know there’s a lot of people who dislike it and think bad things about me. Does it really change anything if some of these people write down their thoughts and comment on my writings? No, not really. But most people still feel insulted in cases like this. I think we slowly are getting used to the different discussion climate on the net. We realize that some kinds of writing will get negative feedback. We are prepared for that and can ignore libel without factual content. We value feedback from reputable persons, and anonymous submissions naturally have less significance. Pure emotional venting without factual content can just be ignored and is more shameful for the writer than for the object. Well, we are still far from that mindset, even if we are moving towards it. But which way should we go? Should we work hard to enforce the current law and prosecute anonymous defamers? Or should we adopt our mindset to the new discussion culture? The world is never black & white and there will naturally be development on both these fronts. But in which direction would you steer the development if you could decide? Now you have to pick the one you think is more important. [polldaddy poll=8293148] Looking forward to see what you think. The poll will be open for a while and is closed when we have enough data. Safe surfing, Micke
We all know that there are scammers on the net, actually a lot of them. The common forms of scams are already well known, Nigerian letters and advance payment scams for example. But scammers do develop their methods to fool more people. I recently saw a warning about an interesting variant where the scammers ask for advance payments for travel services. This warning involved booking.com so you should be extra careful if you have used them recently. But the advices I share here are generic and not specific to booking.com anyway. The warning I refer to is in Swedish but I’ll provide the main points here in English. Here’s what happened according to the story. Someone books a trip on-line. Booking information leaks out to scammers somehow. This could be because of a hacking incident at booking.com, a crooked employee or maybe also through a hacked customer mail account. Now the scammers contact the customer. They claim to be the hotel and require advance payment for the stay. This can be quite convincing as they know what hotel has been booked and at what dates. The payment must be a wire transfer, credit cards are not accepted. Sadly, some customers fall for this and do the payment. They never see the money again and still have to pay the full price for the hotel. Here the key differentiator from ordinary scams is that the scammers have info about a valid purchase done by the customer. This enables them to be very convincing and impersonate the hotel (or some other provider of services) in a believable way. Fortunately it is quite easy to defeat this, and many other scam attempts, with some simple rules. Always pay your on-line purchases with a credit card. Period. If this isn’t possible, shop somewhere else instead. The credit card company acts as a buffer between you and the recipient of the payment, and adds a significant amount of security. Never use wire transfers of money. Period. This is the standard method for scammers as it is next to impossible to get transactions reversed. If someone claims that no other method is available, it is a very strong signal that something is wrong. If you have selected to pay by credit card, as you always should do, then it is a strong warning signal if someone tries to deviate from that and ask for money using some other payment method. Remember that it is next to impossible to verify the identity of the other part if someone contacts you. If you get contacted like this and have any kind of doubts, you can always contact the company you bought from to verify if they really have contacted you. The risk with credit cards is that your card number may be shared with several companies, like airline, car rental and the hotel, in the case of travel booking. Each of these may charge your card. Incorrect charges may occur either by mistake or deliberately. Always check your credit card bill carefully and complain about unauthorized charges. This is some extra work, but the customer will usually get unauthorized charges corrected. And a last hint not really related to scammers. Be careful with the grand total of your on-line purchase. Travel bookers are notorious for not showing the real grand total until at a very late stage in the purchase process. It is very easy to make price comparisons on figures that aren’t comparable. If possible, prefer honest sites that show you the real price upfront. Memorize these rules and the likelihood that you will be scammed is very small. The best way to fight scam is to not take the bait. So by being careful you not only save your own money, you also participate in fighting this form of crime as you make it less profitable. If you want to do even more, share the info and help others become aware. If you liked this post, you may also like the story about when I sold my boat. Safe surfing, Micke PS. The story I base this on was seen on Facebook. It is not verified, but I find it to be believable. It doesn’t really matter anyway if the story is true or not. The story is plausible and forms an excellent warning about Internet scams, which unfortunately is a widespread and very real form of crime. Image by Ho John Lee
You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit. First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important. Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice. Alice signs up for a mail account at Google. She’s lucky, firstname.lastname@example.org is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts email@example.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords? Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for firstname.lastname@example.org on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all. It’s obvious that email@example.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples. So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no. But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember. Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key. But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens! If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site. Safe surfing, Micke