中文 (繁體)

When less is more: How the oversharing epidemic gave rise to digital identity theft

Since the advent of the digital age, we've been slowly but surely hooked on online services. Hardly an hour goes by without us doing something online: whether it's liking a post on social media, shopping, ordering an Uber, watching Netflix, swiping on Tinder, transferring money or accessing a remote desktop. The names of the companies and the things we do may vary — perhaps, you're more into online trading than shopping and prefer gaming to binge-watching shows — but the fact remains: we have all grown our distinct digital identities that may or may not correspond to our real selves.

We entrust some of the information to the care of governments and private companies. We knowingly and unknowingly share our data with tech giants, who track our digital footprint via increasingly sophisticated tools. That information also becomes part of our digital identity.

One man has famously said, data is the new oil, and another less famously argued that it was rather the new nuclear power to the extent it can be weaponized to cause harm. In a world where everything can be bought and sold, a person's complete digital life — digital identity — has become a hot commodity. If stolen and abused, it may bring its real prototype down.

Trackers are watching your every step

According to a recent Dark Web Price Index report, a digital identity — that is complete information about a person's accounts — can be bought on the dark web for less than $1,200. A hacked Facebook account goes for $45, a 1-year Netflix subscription for $25, a selfie with holding a forged US ID will cost one about $120, the same as credit card details with account balance of up to $5,000. Crypto accounts are also not immune from theft: the cost of one crypto account varies from $90 to $250.

And criminals tend to buy in bulk. 50 hacked PayPay account logins are sold for just $150, and 10 million USA email addresses can be bought for $120. The rules of dark marketplaces increasingly resemble that of legitimate ones: sellers offer discounts and coupons, while buyers leave product reviews.

But the sad truth is that often there is no need for malefactors to splash out on a digital identity — if only out of convenience — users provide the bulk of our personal data themselves, willingly and for free.

Why would someone need my identity?

Once a digital identity or at least its part falls into the hands of criminals, it can be abused in a multitude of ways: it can be resold, it can be used for blackmail, for money, your "digital identity" can attempt financial or medical fraud, or even murder.

The US authorities estimated that $100 million in COVID-19 funds were laundered through online investment platforms via accounts set up with stolen identities. In one case, criminals used a man's identity to claim $28,000 in relief funds for a non-existent business, then they opened an investment account in his name and a bank account to transfer the money to.

The theft of medical data is, perhaps, not the first thing that comes to mind when you think of digital identity theft. Yet, there is a burgeoning market for insurance numbers. A Medicare number can fetch as much as $1,000 on the dark web, compared to just $1 for a Social Security number. In one such case an elderly man racked up a hefty bill for an array of medical procedures and multiple doctor visits he had never received.

Who has not at least once mistaken a fake social media celebrity profile for a real one? But what if an imposter creates a fake profile for you, dupes other people into believing it is the real you and swindles them? The practice is known as cloning. A fraudster creates an account, makes it look identical to the real one with the help of the information a victim has generously shared online, and reaches out to that person's "friends". "Facebook friends" are a special breed of "friends", so one should not be surprised that they buy into the fraudster's tall tale. That happened to one Indian man, whose Facebook acquaintances were asked to channel Rs 10,000 ($136) to the criminal's account.

We are amidst the over-sharing epidemic

And money is a cheap price to pay, as some victims pay with their lives. A particularly twisted form of cloning is catfishing, that is when an imposter assumes another person's online identity to enter into a romantic relantionship. It is so widespread that it even has its own show on MTV. An Australian woman took her own life in 2018 years after a female catfish posing as a male actor struck up a romantic relationship with her online, and tricked her into sending intimate photos and videos.

Another extreme example — fraudsters might use real photos of a sick child to raise money off it.

They can register with online casinos, crypto exchanges, and marketplaces using just a passport scan. A SIM swap scam — when a phone company is tricked into assigning a victim's number to a new phone — comes into play if there's a need to clear the two-factor authentication hurdle. Twitter's Jack Dorsey infamously fallen victim to the scheme in 2019.

If you lose access to your account in a hack or a social engineering attack, it can be repurposed for spam, advertising and to imitate a real person when perpetrating fraud.

Even after your death your digital identity may not be able to rest in peace. A form of identity theft known as 'ghosting' is commonly used by criminals to claim tax returns on behalf of the recently deceased. The US government estimates that the identities of 2.5 million deceased Americans are stolen by fraudsters every year.

Safe to say, our digital identity is out here waiting to be abused. And if you were lucky enough to not fall prey to fraudsters yet, then this is more of an exception that proves the rule.

How our digital identity falls into the hands of fraudsters?

There are two principal ways in which a digital identity may become a tool in the hands of criminals: victims are either forced to reveal it or do it voluntarily.

When we hear the word "cyber crime", the first image that springs to mind is that of a hooded man — the hacker. Indeed, the data stored by government entities, medical institutions, and companies can be breached in a brute force attack or a social engineering attack. The former relies on a trial and error method of hacking passwords and encryption keys, while the latter usually involves some form of communication between attackers and an unsuspecting victim. A breach of a popular online trading platform in India last year saw the data of over 3.4 million customers being put for sale. It included customer ID, email ID, contact number, trade login ID, branch ID, and location.

Your data can be stolen in a hack

Then, there are malware attacks. A bad actor can infect a victim's device with a data-stealing malware, which can, for instance, record keystrokes as a victim logs into accounts, harvesting the information stored by the browser, including cookies and passwords. As a result of such an attack, a user's browser fingerprint becomes exposed. Resetting passwords won't help while a bug is present in the system. Then the data can be sold on the notorious invite-only Genesis marketplace or somewhere similar.

The list will not be complete without phishing emails and websites. Scammers forge an email from a legitimate entity and prompt a recipient to disclose their personal data in a response. The US Internal Revenue Service (IRS) has constantly warned Americans that scammers are using the agency's logo and name to steal secret access data and credit card and bank account numbers.

Credentials and other data can also be stolen through spoof websites that are designed to look exactly like the real deal. In November 2020, the account data of scores of PUBG Mobile gamers was exposed as a result of a fake giveaway via hundreds of phishing pages.

We can detect malware, block phishing websites, employ sophisticated security protocols — it will help, to an extent, but even if we deprive malefactors of all the tools, they will continue to tap into an incessant stream of data. How so?

The root cause of the problem is the modern tendency to overshare. We post holiday snaps, geotagged, so everybody could see what posh hotel we have checked in. We post photos from the front porch of our newly-bought family home, geotagged and with the house number visible, cars proudly on display in the driveway.

Some people boast about their big purchases on social media

We reveal our birthdays, health issues, our interests and bucket lists — all while tracking algorithms silently listen and tailor ads to us.

What's more, some of us are careless enough to upload identity documents to social networks. A brief search on one popular social network returned numerous scan copies of documents that appear to be valid.

ID cards can be easily found on social media

Such oversharing can backfire. And it did for an Insta-famous fraudster by the name of 'Hushpuppi'. The Nigerian was a mastermind behind an email scam operation, and flaunted his luxurious lifestyle online. The FBI used his social media accounts to collect evidence and track him.

Hushpuppi flaunted his lavish lifestyle online

Once in a while we hear about ordinary people being fired because of the content they post, as was in the case of a Russian paramedic who took selfies with dying patients.

A British bank estimated that the effects of 'sharenting', that is when parents reveal names, ages, home addresses, places of birth, names of pets and sport teams, and other personal data about their children, will account for two-thirds of identity fraud cases targeting young people by 2030, and will cost them £670m a year.

Perhaps, you remain tight-lipped. But still, the demands of the digital age require us to share our data. We post elaborate CVs on job websites, create dating profiles, and take part in online questionnaires.

The consequences

As we have already seen, the consequences of digital identity theft can be truly catastrophic. You can unknowkingly finance terrorism, run over someone, defraud the government, or swindle someone out of thousands of dollars. Your reputation can be tarnished if your likeness is used to scam people, to lure someone into a romantic relationship.

Criminals can use information that you've shared online to guess your passwords (especially if it's your grandma's birthday or a pet's name) and break into your accounts, stealing your money and services.

Moreover, your health or life can be in danger. Imagine, you go to a hospital to get a test done, but a doctor tells you that you already had that test done two weeks ago. Or your real health parameters can get mixed up with that of a fraudster who abused your insurance.

And it's not only your reputation and finances that might suffer, but that of your company. Todd Davis, CEO of LifeLock, Arizona-based identity theft protection company, notoriously made a laughing stock of himself after he put his social security number on billboards and in TV commercials, claiming that the company's credit monitoring service would make "personal information useless to a criminal". To hardly anybody's surprise, except probably Davis's, the CEO's identity was stolen at least 13 times. His social security number was abused to obtain a loan as well as to open multiple accounts that all had outstanding debts by the time he found out about their existence. LifeLock was ordered to pay a $12 million fine for deceptive advertising.

According to the 2022 Data Breach Investigation Report by Verizon 82% of data breaches targeting companies involve the "human element". Phishing, use of stolen credentials and manipulating an employee into disclosing confidential information ('pretexting') make up the top 3 social engineering techniques that criminals use.

What are the chances your identity will be stolen

The more apps, electronic devices, social media and online service you use — the more likely you are to fall victim to digital identity theft. We leave chunks of personal data on each of our devices, share it with every app we use — the same goes for social media. You are at risk if you are an active member of numerous public groups and post personal information about yourself (about your financial situation, about your children's well-being) for everyone to see.

Sometimes we have to fight the urge to share

If you take part in online questionnaires, quizzes, giveaways and paid surveys, you're also playing with fire. They can be tools to harvest your data, which can then be sold to spammers or compromised in some other way. Resumes, student applications that you post online and that reveal your personal details also make you vulnerable. In the end, it is the amount of the publicly available information that makes the difference.

Disregard for basic protection measures, such as installing anti-virus software, enabling two-factor authentication or setting up a strong password increase the likelihood of your digital identity being compromised.

How to decrease the risks

You cannot unplug yourself from the world, but you can shrink your digital footprint and at least make criminals work hard if they want to lay their hands on your digital identity.

  • Share less on social media — the internet never forgets. Even if you remove the post afterwards, it can still be screenshotted or retrieved through web archives. Resist the urge to share your purchases and information about your loved ones or where you live. Be mindful when geotagging photos and tagging others in them.
  • Do not upload copies of your ID documents, such as passports, drivers licenses to your social media accounts. Do not send your documents, especially your selfie with an ID card, to random third party services “for identity verification” unless absolutely necessary.
  • Carefully study privacy policy before participating in an online survey or a questionnaire and find out what your answers can be used for. If no such policy exists, then it’s better to forgo that survey altogether. Even if the privacy policy does not contain any red flags, the pollster can leak the data anyway. So the fewer questionnaires you take, the safer you are.
  • Be wary of "too good to be true" discounts and generous giveaways offered by well-known companies. Make sure you are not on a phishing site, and contact a representative of the company to verify the campaign if you're in doubt.
  • Allow only those cookies that are essential to the functionality of the website if you don’t want advertisers to track you across the web and bombard you with ads.
  • Use ad blockers that are trustworthy and have not been caught red-handed leaking data. You can also switch to a privacy-focused browser, use a VPN or a DNS server.
  • Set strong passwords that are not reused across your other accounts or devices, and use password managers.
  • Enable multi-factor authentication where possible — it will help protect you from unsophisticated hackers.
  • Install and timely update antivirus software, make sure you have enough space in your device for the updates.
  • Give your apps only the most necessary permissions

As for the documents that we have to email our employers, professors, insurers and others online, make sure you send them via an encrypted email service and that your mail is password-protected.

19,184 19184 使用者評論

AdGuard for Windows

Windows 版 AdGuard 不只是廣告封鎖程式,它是集成所有讓您享受最佳網路體驗的主要功能的多用途工具。其可封鎖廣告和危險網站,加速網頁載入速度,並且保護兒童的線上安全。
19,184 19184 使用者評論

AdGuard for Mac

Mac 版 AdGuard 是一款獨一無二的專為 MacOS 設計的廣告封鎖程式。除了保護使用者免受瀏覽器和應用程式裡惱人廣告的侵擾外,應用程式還能保護使用者免受追蹤、網路釣魚和詐騙。
19,184 19184 使用者評論

AdGuard for Android

Android 版的 AdGuard 是一個用於安卓裝置的完美解決方案。與其他大多數廣告封鎖器不同,AdGuard 不需要 Root 權限,提供廣泛的應用程式管理選項。
19,184 19184 使用者評論

AdGuard for iOS

用於 iPhone 和 iPad 的最佳 iOS 廣告封鎖程式。AdGuard 可以清除 Safari 中的各種廣告,保護個人隱私,並加快頁面載入速度。iOS 版 AdGuard 廣告封鎖技術確保最高質量的過濾,並讓使用者同時使用多個過濾器。
19,184 19184 使用者評論

AdGuard 內容阻擋器

AdGuard 內容阻擋器將消除在支援內容阻擋器技術之行動瀏覽器中的各種各類廣告 — 即 Samsung 網際網路和 Yandex.Browser。雖然比 AdGuard for Android 更受限制,但它是免費的,易於安裝並仍提供高廣告封鎖品質。
19,184 19184 使用者評論

AdGuard 瀏覽器擴充功能

AdGuard 是有效地封鎖於全部網頁上的所有類型廣告之最快的和最輕量的廣告封鎖擴充功能!為您使用的瀏覽器選擇 AdGuard,然後取得無廣告的、快速的和安全的瀏覽。
19,184 19184 使用者評論

AdGuard 助理

AdGuard 桌面應用程式的配套瀏覽器擴充功能。它為瀏覽器提供了自訂的元件阻止的功能,將網站列入允許清單或傳送報告等功能。
19,184 19184 使用者評論

AdGuard DNS

AdGuard DNS 是一種不需要安裝任何的應用程式而封鎖網際網路廣告之極簡單的方式。它易於使用,完全地免費,被輕易地於任何的裝置上設置,並向您提供封鎖廣告、計數器、惡意網站和成人內容之最少必要的功能。
19,184 19184 使用者評論

AdGuard Home

AdGuard Home 是一款用於封鎖廣告 & 追蹤之全網路範圍的軟體。在您設置它之後,它將涵蓋所有您的家用裝置,且為那您不需要任何的用戶端軟體。由於物聯網和連網裝置的興起,能夠控制您的整個網路變得越來越重要。
19,184 19184 使用者評論

AdGuard Pro iOS 版

除了在 Safari 中之優秀的 iOS 廣告封鎖對普通版的用戶為已知的外,AdGuard Pro 提供很多功能。透過提供對自訂的 DNS 設定之存取,該應用程式允許您封鎖廣告、保護您的孩子免於線上成人內容並保護您個人的資料免於盜竊。
19,184 19184 使用者評論

AdGuard for Safari

自 Apple 開始強迫每位人使用該新的軟體開發套件(SDK)以來,用於 Safari 的廣告封鎖延伸功能處境艱難。AdGuard 延伸功能可以將高優質的廣告封鎖帶回 Safari。
19,184 19184 使用者評論

AdGuard Temp Mail

19,184 19184 使用者評論

AdGuard Android TV 版

Android TV 版 AdGuard 是唯一一款能封鎖廣告、保護隱私並充當智慧電視防火墻的應用程式。取得網路威脅警告,使用安全 DNS,並受益於加密流量。有了安全性和零廣告的使用體驗,使用者就可以盡情享受最喜愛的節目了!
已開始下載 AdGuard 點擊箭頭所指示的檔案開始安裝 AdGuard。 選擇"開啟"並點擊"確定",然後等待該檔案被下載。在被打開的視窗中,拖曳 AdGuard 圖像到"應用程式"檔案夾中。感謝您選擇 AdGuard! 選擇"開啟"並點擊"確定",然後等待該檔案被下載。在被打開的視窗中,點擊"安裝"。感謝您選擇 AdGuard!
在行動裝置上安裝 AdGuard