Sunday, August 31, 2014

Of Social Media, Apps and Data Theft



As the reach of Social Media Sites and Online and mobile Applications (Apps) expands, your own data is at a high risk. You put a lot of personal information at stake when you download apps on your desktop as well as mobile. Most of the social media sites like Facebook, Twitter, Google + and many recent chat apps feed on the basic quality of human nature - hunger for attention. All of them feed on human ego. And more the fire one has to show off and advertise things to the world, the better it is for the popularity of the site / app. 

How Safe is your Online Content?

Once you post your photos, data, your story including contents of your chat, you are indirectly exposing your personal life to them. That's because most of these sites and apps automatically get the right to use, sell, reproduce your pictures and data as they deem fit, without your consent or any compensation to you. 

Who has Given them the Right?

But who has given them the right to do all this? Of course, you yourself. How many of us actually read the Terms and Conditions one has to tick before signing up for an application?! We are always in a hurry to make accounts, often ignoring the fine-prints! So tomorrow if any of these social media sites want to write a book on your life from your posts, pictures and chat content (depending on the rights they have on your contents), nobody can stop them. Scary, right? But the agreement to use your content ends with deletion of your account. Yet what you had posted earlier might remain in their database without your knowledge! And might still be used. All the terms and conditions are subject to change, but this is how it is at the moment. That is why deletion of an account is much difficult than creating one. Take Facebook, for example. It's 'delete' option is hidden from visibility. People just 'deactivate' accounts, keeping it still alive through comments and data posted on other people's accounts. Then often they are tempted to log in again, making the account active once again.

What the Law Says :

Instead of putting the legal aspects of the rights held with these sites, I would rather quote the experts and would prefer you to check the authenticity of my words from the proper sources.
Check this link from the Law Offices of Craig Delsack, LLC which explains  what rights the social media sites have over your private pictures and content : 
http://www.nyccounsel.com/business-blogs-websites/who-owns-photos-and-videos-posted-on-facebook-or-twitter/

Rights Held by Telephone Apps

Now let's come to telephone apps. So many of us download so many games and applications and give so much consent to the companies ourselves, without blinking an eye-lid! Without wondering whether such kind of app actually need such access. Some ask access to your location, to your files, pictures! I generally do not download apps unless I check out the kind of access they are seeking. The other day I was about to download one popular caller identification app and was shocked to see them seek access to my picture folder apart from Contact list (which was understandable). Then I remembered my colleague telling me that since downloading the app, he not only gets name of the person calling, but many times pictures of unknown people calling for first time too!

So I restrained myself from downloading the app and requested my close friends and family to delink any snap they might have associated to my number. Sometimes you accept terms and conditions of a company and indirectly put your own family and friends to risk or exposure. Imagine a husband associating a sensuous photo of his wife with her number. Then he downloads the app, giving photo files access which it asks for. And the next thing that will happen is that the photo will get associated with the particular number and when she calls a colleague, friend or even an unknown person, her associated photo will get flashed, provided no other photo is linked to her number. What an embarrassment! The app works on the principle that as soon as people keep adding to it, it reads all the data and picks the maximum names and now snap/s associated to that number and then stores that name and snap (if any) to that number. Suppose a casual photo is published on a social networking site and one has an unwanted stalker and he/she downloads that snap and saves it with number with a sleazy name attached to it, it is likely that name and snap will be associated to that number. Likewise, if you have a nickname. And imagine calling a prospective employer with your embarrassing petname / nickname flashing on his/her mobile. Your impression is already made!

My brother suggests that in such cases, you cannot educate everyone so better to create an account yourself and add your name and snap as you want it to appear (you can even have alphabets spelling your name out) in that account. That is always the first preference of the app. Alternatively, if you do not want to give too much access to the app, yet want to find details of callers, you can subsequently delete the app from your mobile and yet log into your account from a laptop / desktop or mobile net and search up the names of callers.

For all other apps, be careful which access it is seeking. Download only the popular ones offered by good companies. Rest is upto you, how much access you want to give to an application.

Online Data Selling and Identity Theft

Ever wondered why as you sign up for online retailer accounts, shopping cards at big stores, you start getting more and more emails of Ads and more shopping sites in your email-box and mobile phone! As you shop through these channels, you are a potential buyer for other sites / stores as well. So either openly or discretely, this data is passed on to other retailers. If you are registered for DNC / DND, you might not get Ad sms, unless officially registered with some retailer. So your email ID is again vulnerable. And your email IDs get filled with promotions and advertisements.

Advertisements are still fine. But when your email box is filled with sleazy spam and phishing emails, its horrible! Most email providers scan such type of emails and direct it to your spam folder. But still, others keep flowing in. 

How do they get their data? The resumes / CVs that you upload on job portals, your social media accounts; these are the sources of your data theft. And if that wasn't enough, nowadays I've seen individuals selling their contact lists online! Email, phone... Everyone for money. Imagine your own friend doing that?!

Then there are these representatives at malls approaching you with 'contest forms' asking you to fill all details. Once you do that, then of course, you will be getting emails and calls of various schemes and requests. You can still report calls for promotions / advertisement received on DND registered mobile numbers.

As long as data is used for promotional activity also, you are still safe. But when it is used to steal your money or identity, it is a fraud.

Identity Theft Frauds

Identity theft can be done by stealing your email, phone number, credit and debit card details, your ATM PIN, your account details. 

How is this possible? Sometimes we pass on credit / debit card details over phone, sms and social media sites, emails. Or write details somewhere and leave it. Or keep your cards carelessly. Someone could overhear a conversation, hack into your social media account, copy details of your credit/ debit cards and if they know your personal details also, they can easily access your netbanking account or make online payments! I've noticed how some shopkeepers refuse to handover their swipe POS to user and blatantly ask the the shopper for their PIN. And some shoppers actually do that. Never ever do that! Even if the shopkeeper makes you look bad or cranky. People might watch or hear the PINs being keyed in and rob your wallet as you walk out. And voila, they have access to your money! Before you discover the theft and deactivate your card, your account could have been wiped out.

Apart from credit / debit card information theft, you might be sent heart touching emails seeking donations for a cause and ask your bank details and passwords. These links direct you to fraudulent sites where data is received and stored. If not an emotional email, it might be a phishing email appearing to be sent from regulatory authority. Such emails scare people into replying to them. Another way is to send emails for job opportunities. Such emails will appear too good to be true. They will be willing to hire you without interview. By just filling a form. And the moment you reply to the email, you will be asked to part with money, for which you will be directed to a fraudulent link or asked for bank details or told to wire money to some account.

How does one identify if an email is authentic ? One sure-shot way of doing so is to check if the sender has sent email from his/ her organisation account. You cannot have officials from government bodies or big organisations sending you emails from their yahoo and gmail IDs! You can also look up HoaxSlayer site to check if such emails are authentic.

Exporter-Importer Data Fraud

One important kind of fraud involving huge amounts is by accessing Invoices and Purchase orders exchanged by Importers and Exporters. Unlike earlier, where purchase orders actually moved in hard form and acceptance of order was obtained from purchaser, now a lot of quotations and orders are exchanged on emails. Most purchase orders or Proforma Invoices have bank details of Exporter. Hackers identify such traders and hack into their email IDs and replace the original Order or Invoice with a fraudulent one having bank details of some other account. Either this or a top up email on original email is sent stating change in bank details. The importer unsuspectingly makes payment to the wrong account without making a call to or verifying facts with the seller, only to loose large amounts of funds!

This can be avoided by keeping strong passwords, by exchanging emails only between two main parties instead of all and sundry in the company and also by verifying any data with the seller before parting with the funds.

Other types of Identity Thefts

In India, PAN card details are used for tax frauds. Earlier Indian Railways used to display PAN card details of passengers after finalisation of final passenger list and display on their boards. This was done for identification purposes. But eventually it turned out to be a source of data which was being stolen for certain kinds of tax frauds. This has since been discontinued. Sometimes PAN card copies are taken by various bankers and other organisations and sometimes excess copies could be taken as one isn't clear enough. Ensure to have all such extra copies destroyed. Else another customer walking into the organisation might misuse it.

Also while taking your valuable documents for photocopying, keep an eye on your documents and ensure no extra copies are being made without your consent.

Apart from data being used to rob you of your money, in today's time, it can be used to rob your identity and commit frauds and illegal activities. How ?

Suppose, an anti social element wants to commit some illegal activity. Earlier for creating accounts, one had to key in one's own User Name and check availability. That would be your account. Additionally some data was asked for, which was never verified. And you could have internet calling accounts, without being traced back. You could open various online accounts with self made user IDs and operate on fake data on anonymous basis. But now, as security check, companies are seeking email IDs for creating user accounts. Some even seek mobile number. Email IDs and mobile numbers can be traced back to user. But one intending fraud might not want to use a correct email ID or phone number. So they steal other email IDs to do so.

Last whole month, I had my gmail ID being used for creating social media accounts, mobile freecharging company account, online shopping account and even an account with an online dating site! Most of these companies had added my email ID without sending me email ID confirmation link. A few who did, did not wait for the confirmation. Suddenly my email inbox was filled with activities and transactions which I was not even part of! I had to take action. I started writing to / logging complaints to each one of these sites/ companies. Twitter was most professional in delinking my email account without any further questions. But I had to take up with the dating site very strongly before they could delete my account. The mobile charging company asked me to send email from correct ID! 

Here I would like to highlight one interesting thing. All the accounts were made from my gmail ID. My gmail ID has a dot separator between my surname and first name. But interestingly these accounts were created using email ID having no separator! At first I was fooled into thinking that this was some other account and erroneously I was receiving the emails. Then thanks to my brother, I learnt one interesting fact.

For a layman, both these email ids (one with a dot and one without) may be different but the reality is that gmail considers any email ID as same. For example, I could even send a mail to p.e.t.e.r@gmail.com or pet.er@gmail.com, but both would reach the correct email ID, that is, peter@gmail.com. So probably gmail does not allow users to create user IDs with dots if the same email without dots is already created.
Please refer to the link below for confirmation:

So when I was asked to give deletion request from correct email ID, I had to inform company of the above fact, to have account deleted. This was amusing as the account creator was part of the IT industry and should have been aware of it.

Finally, after a lot of email communications and awareness messages to friends, I have all my accounts deleted. I was especially concerned about the dating site account. I was getting so many notifications. The account was made as an 18 year old and imagine if someone had posted objectionable content and pics using my identity! As I write this, another shopping account has been made in my name and some shipment has been ordered. I have informed the concerned company to look into the matter and delink my email ID from the account.

This incident has made me aware of so many frauds and security breaches. I knew some things, I learnt so much more. And my sole purpose of writing this article is to make others aware that all this is possible. So next time, you see unwanted / usual activity in your email ID, especially, creation of accounts which were not created by you, be alert. Write back to all of them and have the accounts deleted. Who knows what might be the intention!


Check below interesting links I came across which might help the reader to increase their awareness of data and identity theft :
http://www.justice.gov/criminal/fraud/websites/idtheft.html
http://www.consumer.ftc.gov/features/feature-0014-identity-theft
http://www.allianceonemumbai.com/identify-signs-employee-fraud-business/

Better safe than sorry!


Picture courtesy : www.allianceonemumbai.com (Corporate Fraud Detectives in Mumbai)