Published on the 08/12/2020 | Written by Heather Wright
How to protect against the weaponising of personal info…
It wouldn’t be the festive season without a security story, and this one is brought to you by the folks at cybersecurity vendor Kaspersky, who want us to be more aware that we could be the target for ‘doxing’ and that our personal data can cost less than a cup of coffee on the dark web.
The company delves into two ‘major consequences’ of sharing personal data in public willingly or unwillingly: Doxing (the public ‘de-anonymisation’ of a person online) and the selling of personal data on the dark web.
“It is that simple, but does require effort.”
Ironically, in an age when getting up in arms about privacy is de rigueur, Kaspersky says most of us still only have a basic understanding of why privacy matters – with 37 percent of millennials believing they’re too boring to be the victim of cybercrime.
That’s not the case, Kaspersky cautions. “For instance, doxing, which, in a way, is a method of cyberbullying, can affect any user who is vocal online or does not conform to subjective standards of other users.”
Doxing, or doxxing, is the sharing of information to embarrass or hurt the target – think embarrassing photos or videos, parts of private correspondence, often taken out of context, private contact details or medical, financial or criminal records.
It’s a topic New Zealand online safety organisation NetSafe was hot on earlier this year, calling for Kiwis to be more aware of the issue and to take action against it (more on that later).
“Users typically do not expect personal information to leak out into the public domain, and even if it does, do not anticipate what harm that might do,” Kaspersky says. ”But as practice shows, with especially determined abusers or malicious users, doxing may potentially turn as far as hacking into the target’s accounts – a service that is offered on the dark markets nowadays.”
When it comes to the ‘dark markets’ Kaspersky deep dived into 10 darknet forums and marketplaces, finding access to personal data can start from as low as US50 cents for an identity document or card.
Some forms of data, such as credit card information, banking and e-payment service access remain as in demand as they were 10 years ago with their respective prices unchanged in recent years (at $6-$20, one to 10 percent of an online banking accounts value and $50 to $500 for PayPal account data, depending on the available credit and previous user operations.
But the report also highlights the emergence of new types of data, such as medical records (still relatively low cost at $1 to $30) and selfies with personal identification documents – sometimes required by know-your-customer programmes, including those used by some cryptocurrency exchanges – which can cost from $40 to $60.
Dmitry Galov, Kaspersky security researcher, says in the past few years many areas of our lives have become digitised – and some of them, such as our health, for instance, are especially private and sensitive.
“As we see by the increasing number of leaks, this leads to more risks for users. However, there are positive developments too – many organisations are taking extra steps to secure their users’ data. Social media platforms have made especially significant progress in this regard as it is much harder now to steal an account of a specific user.
“That said, I believe our research highlights how important it is to be aware that your data is in fact in demand and can be used for malicious purposes even if you do not especially have lots of money, do not voice controversial opinions and are generally not very active online,” he says.
Passport scans can can go for between US$6 and US$15 – and go around the web ‘quite often’. “Think of how many times you have uploaded a copy of your passport to some service, sent it to an organisation or allowed them to scan it themselves.”
For now at least, Kaspersky believes the data available on the dark market is unlikely to be harnessed for doxing thanks to the cost, but it cautions that might change ‘depending largely on the determination of the abusers to dox an individual’.
As to protecting ourselves, both Netsafe and Kaspersky offer up a few tips:
Know what they know. Research what the internet knows about you by Googling your name and some other data to narrow down results; search your online handles and emails. Check if your social posts contain geotags or private data such as names of family members. Check if data has been leaked using leak monitoring services such as HaveIBeenPwned. Consider removing anything that can be used to identify you as well as personal information.
Always check permission settings on the apps you use, to minimise the likelihood of your data being shared or stored by third parties – and beyond – without your knowledge.
Use strong passwords, and a different one for each account, so people attempting to dox you can’t guess a password to gain entry to your online accounts.
Use two-factor authentication. Remember that using an application that generates one-time codes is more secure than receiving the second factor via SMS. If you need additional security, invest in a hardware 2FA key.
Report abuse before things get out of hand.
“One has to understand that being and expressing yourself online is not exactly a private endeavor – it is more like shouting on a crowded street and you never know who might come your way, disagree with you and how they might react. With this, comes risks,” notes Vladislav Tushkanov, privacy expert at Kaspersky.
“This does not mean that we should all delete and close our social media accounts, of course. It is all about understanding potential consequences and risks and being prepared for them. The best course of action when it comes to your data is this: Know what they know, remove what you can and take control of what information about you goes online. It is that simple, but does require effort.”