How Big is Your Footprint?

When we talk about our digital footprint, we immediately think of social media - and with good reason. There are countless social media platforms available that invite its users to share their lives, photos, videos, and thoughts with the world. Through these platforms, we may reveal a host of personally identifiable information (PII) about ourselves such as real names and contact information, and information on our family members, friends, co-workers, pets, etc. For example, tagging your mom in one of your photos may divulge her maiden name and sharing photos of your honeymoon reveal its location, both of which are common account security questions. In addition, there are a number of sites dedicated to scraping (a technique used to automate data extraction) and compiling information on individuals. This information can include age, phone number, email address, home address, previous addresses, family members, car make and model, and the list goes on. PII and other sensitive information, such as personal health information (PHI), can also be revealed in data breaches – incidents in which sensitive, protected, or confidential data is exposed, copied, transmitted, viewed, stolen, or used by an unauthorized party.

All of this information can be used in various ways to target individuals, including crafting personalized and convincing social engineering schemes in an attempt to convince recipients to open attachments in emails, click links, or divulge sensitive information. Additionally, publicly-available information can be compiled and used in doxing and swatting incidents. Doxing is a tactic that involves the malicious targeting, compiling, and public release of PII used to perpetrate harassment, identity theft, or violence against an individual. Once compiled, this information is commonly posted on hosting sites such as pastebin[.]com and further disseminated via social media. Doxing is often used to target law enforcement personnel, but is also common in the gaming community as well. Swatting is an associated threat in which a fraudulent call is made to police claiming a crime is occurring at a targeted individual's home; the address provided is typically taken from publicly-available sources. Swatting may be the result of a simple argument but the consequences can be deadly. In December 2017, a swatting call to the wrong address resulted in the death of an unassociated individual.

Recommendations

The NJCCIC recommends individuals take the following proactive steps to limit their online presence and PII exposure, and attempt to have personally identifiable information (PII) removed, wherever possible.

• Follow the “Be Sure To Secure” instructional guides to implement strong security and privacy settings for Android, Facebook, Google, Instagram and Twitter. Be sure to configure similar settings on all other social media sites. Privacy options can often be found under account settings.
• Conduct frequent searches on social media for photos of you and your family that are tagged by friends or those outside your network (i.e. ‘friends of friends’ who have public profiles) and remove tags.
• Conduct frequent searches (Google, Bing, etc.) for you and your family’s PII and photos to verify where personal data is provided.
• Utilize Michael Bazzell’s Extreme Privacy guide to remove personal data form the internet which includes submitting opt-out/removal requests for public record or ‘people search’ websites where your information is readily accessible.
• Deactivate or permanently delete any social media or online account that is no longer in use. Sites such as https://justdelete[.]me provide instruction on how to remove information and delete accounts for numerous online and social media sites.
• Use a resource, such as haveibeenpwned.com, to determine if your information (ex. account password) has been exposed in a public data breach.
• If you receive an email containing a link or attachment from a seemingly known sender, confirm the legitimacy of the email via a separate means of communication before taking any action.
• Avoid responding to requests for PII, login credentials, or financial information received via email.
• Do not send unencrypted documents containing Social Security numbers or other sensitive PII via email.
• Do not store unencrypted files or documents containing Social Security numbers or other sensitive PII on an unencrypted computer hard drive or cloud-based application.
• Freeze your credit to reduce your risk of identity theft. You can place a freeze on your credit profile by contacting the three major credit bureaus. Each credit bureau will provide you with a PIN or password that will be required to lift the freeze in the future.

Additional Best Practices

• Use unique, complex passwords for all accounts.
• Use multi-factor authentication wherever possible.
• Update passwords immediately following a potential compromise.
• Avoid auto-saving passwords, payment card numbers, or contact information when prompted by your operating system, browser, website, or applications.
• Monitor credit reports and financial accounts for unauthorized activity.
• Consider purchasing a credit monitoring service.
• Be aware of social engineering tactics and scams aimed at obtaining your sensitive information.
• Run an up-to-date anti-virus or anti-malware program on all devices.