A Picture Is Worth a Thousand Clues

68b62085e41e8f225811766f8d5eb2bb_XLA friend posted what should have been a simple picture on a social media site – not realizing she was potentially exposing more than just her lousy day.

A simple case-study of stalking and potential identity theft.

I’m not a big advocate of pushing “FUD” (Fear, Uncertainly and Doubt) in the security community – but equally so, I also endorse the idea of forewarned is forearmed.

Such is the case of a photo (similar to the one in this article) that a friend of mine posted in a social media site one day – commenting on how it was the end of a long day, and per usual – all that really came out of it were bills (I’ve not used the original picture).

Now as if often the case with many security and intelligence breaches, it’s not a single catastrophic even that presents a threat – but a mosaic created by taking a step back and looking at how small, and relatively inconsequential bits of information fit together to reveal a greater truth (some know this as the aggregation and inference threats… but I’ll save that for another article).

That was the case with my friend’s picture.

Being a single woman, who has had a few unfortunately incidents with some individuals in the past, she’s normally been pretty careful with her on-line identity (even going so far as not to use her real name).  Unfortunately a harmless photograph undid a lot of her previous diligence.

A harmless enough image – with care taken to reveal the name/address on the envelope – all should be fine?

Looking closer we learn the following however:

  • The postal code (zip code in US terms) was visible on the original envelope. While in the USA this can cover a relatively extensive area (several square miles), in Canada a much smaller zone system is used – and a Google Earth search on a postal code can actually show you within 3-5 houses/buildings where a postal code lies (unless you come from a small town serviced by a central post office or super-drop box).
  • The vehicle key tells us the manufacturer of the vehicle. Now in this picture – it’s a Ford – so not that remarkable; but in my friend’s picture a little less common vehicle was being used – and would help narrow down exactly where she lived based upon finding that car in the driveway of one of the 4 houses that showed up on the Google search.
  • Finally, in her picture (not mine) – there was a Medeco key. Medeco locks are one of a number of “premium” lock companies that purportedly produce very difficult to pick locks, that also require special permission to duplicate they keys.  Part of their branding strategy is to ensure both locks and keys are well marked – so a would be lock picker will go away and find an easier target (sort of like posting signs saying your house is protected by an alarm).  This adds to the puzzle – because while this could just be an office key, it may also be the house key – providing another easy way for a would be stalker to confirm the correct house/door.

Medico lockNow I’m not trying to convince everyone that a would be stalker is following every social-media post… but I am suggesting that proper care be given to just what you post and where.

While its nice to see pictures of the old school, your childhood friends and activities, to get birthday greetings from friends and help map out your family history on-line – remember that you could also be helping a less scrupulous individual figure out your birth date, mother’s maiden name and your childhood pet’s name – information generally used for identification purposes with various institutions and service agencies.

From a few simple pieces of information – much more can be derived or “inferred” about you, your activities and your identity.

A little bit of forethought, and being selective can save you a great deal of trouble later on.

Author: Stephen Holton, PMP, CISSP, SSGB, ITIL, CD

After completing over twelve years service in the Canadian Armed Forces, Stephen moved to private industry where he was employed as a Director of Information Technology, Director of Operations and CIO for a number of private sector companies before finally electing to become an independent consultant in 2000. Since then he’s served as a management consultant, project/program manager and business analyst/solution architect in a number of industries and organizations - including a big-5 consulting firm. These industries and organizations have included the airline, railway, telecommunications and banking industries, the Canadian and US Governments, as well as mandates in Brazil and Bermuda. Presently Steve lives in Ottawa, Canada.

Leave a Reply