/ Technology

How much of your personal information is available online?

When you think of hackers and criminals operating online, you might think of the so-called ‘dark-web’. But scammers and criminals don’t need to delve this deep to steal your information. Faye Lipson explains more…

The ‘dark web’ is seen as a nefarious internet underworld where whole identities are traded for a few pounds each; but in truth, it’s simply a part of the internet which can’t be accessed by conventional browsers such as Internet Explorer, Chrome, Firefox or Safari. Instead, you must use a specialist browser called Tor (short for ‘The Onion Router’) which has been modified to keep its users anonymous.

Many of us fear what the dark web knows about us, though we have precious little control over it and would struggle to access it safely without expert help.

Yet what we should really worry about is actually how most of us use the web on a day-to-day basis: the strength of our passwords and the amount of personal information we freely make available on easily accessible websites.

A decade of being us being overgenerous with our personal data, and companies failing to secure it, has made the ‘everyday’ web a paradise for fraudsters and hackers.

Information security expert Troy Hunt famously founded haveibeenpwned.com – a directory of major data breaches that victims can search using their email address – and said that ‘almost every single record [on the site] came off the clear web’.

Staying safe online

With this in mind, we set out to discover the damage that can be wrought by criminals using only the public internet.

Working with expert cybersecurity firm SureCloud, we recruited 14 volunteers as ‘targets’ and combed social media sites, forums, shopping sites, digitised public records and large deposits of information stolen in company data breaches to build as comprehensive a picture of their lives and personal information as we could.

The results were shocking. We were able to discover passwords and password hints, email and postal addresses, dates of birth, phone numbers, middle names and even signatures. We also uncovered a wealth of ‘softer’ information on people’s interests, hobbies, religion and political preferences.

The information could have been used to perpetrate a wide range of frauds, from applying for a bank account in someone’s name to taking over their existing mobile number and bank account, or ‘socially engineering’ them into divulging online banking details.

And passwords stolen in particular company data breaches could easily give you the keys to victims’ accounts on other sites as many people reuse passwords. For more on this investigation see our news story.

Seizing your digital destiny

If you’re feeling alarmed about your own online security, the good news is that there are steps you can take to make yourself safer:

Follow our tips on how to create and store strong, unique passwords for every site.

Delve into your social media settings and make sure fraudster-friendly personal details such as your birthday, middle name and contact details aren’t visible to the public.

Opt out of the open electoral roll, make your landline number ex-directory and ask to be deleted from online directories.

Your mother’s maiden name is a matter of public record. If asked to use it for a security question, make up a completely fake decoy answer (providing you can remember it).

A new data law has just strengthened your right to find out what organisations know about you and control how it’s used – brush up on your new rights.

Do you feel truly in control of your digital identity, or do you fear you’ve exposed too much of your data online? Are you doing anything differently in light of recent stories such as the Cambridge Analytica scandal?


This comment was removed at the request of the user

I sometimes wonder how we came to allow the social minefield called Facebook to take over our lives and put our security in jeopardy. I have never been there but most people have and I know many who wish they could rewind and rewrite their history. It must be one of the most phenomenal lifestyle experiments in social history and I cannot make up my mind whether Zuckerberg and the others saw its full potential at the outset [pure genius if so] or whether they astonished themselves at how it exploded way beyond its ‘innocent’ origins and expectations into the all-pervading monster it has become.

Agree JW.

I do wonder how much leverage through a content hungry media allows some ideas to escape beyond the original concept. Looking at AirBnB which was for people to let spare rooms we now have a monster where landlords buy and operate portfolios of properties in major cities whilst avoiding H&S and other regulations. Not to mention taking out of use flats for local people.

Perhaps there is a lack of critical evaluation at the early stages by those entrusted to govern on the significant downsides that could follow in the wake of very well-financed and connected ventures.

In case you would like some insight into the way it evolved and the serious money invested ..

Basic e. mail is useful for sending messages quicker than through a post box. One is likely to get a reply sooner too. After that, any other social media seems irrelevant. I have no desire to make instant comments on the world or what I had for breakfast, and, as you may have noticed, I don’t particularly like restricting what I write to a set number of words, just to twit to someone, or even tweet. Since an American began doing that it has debased the currency somewhat. Facebook does allow you to send photos when E. mails crash when overloaded. However all their likes and dislikes put me off. I seem to be able to communicate with relatives fast enough without it, and important photos go on a stick in a jiffy bag with a stamp on it. Anyone with enough time and effort could go through all I’ve put on here over the years and build a pretty good picture of my life and interests. However, I don’t keep any active passwords on here, so they would have to get them from careless sites I communicate with. Not much I can do to stop that. My other safeguard is to do as little as possible financial electronically. If it isn’t on the computer, it can’t be hacked. I also back up files so that they are available if the computer is compromised in any way, or it just breaks down. I appreciate that others have a greater need to use the internet for serious data transfer and the more they do, the more they must find ways of protecting themselves. Ultimately it is a battle between those who wish us harm and those who try and protect us. While the criminals have a free rein and are not caught in significant numbers, they have the edge and the tools to do some serious hacking. We can just hope we aren’t interesting enough to get their time and attention. It’s an unpleasant electronic world and it has been spoiled by those with evil intent. We’re back to Adam, Eden, the serpent and the apple. Eve got hacked.

Phone messaging also works well for me.

This comment was removed at the request of the user

I can’t get that link to work, Duncan, but here is a document on the same site: https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/unauthorized-transmission-and-use-of-personal-data/

This comment was removed at the request of the user

Your link does not contain ‘transmission’. Did you not use copy & paste?

This comment was removed at the request of the user

I don’t think I can teach you much about computers but I contribute Ctrl+c to copy and Ctrl+v to paste. 🙂

Control+a to copy all. Contol+x to copy and delete the original. I find when you become senior your brain gets full much more quickly. Don’t worry duncan; what’s in your head is very valuable to us all. 🙂

This comment was removed at the request of the user

Not much sign of that yet, Duncan, but the way that our regulars constantly go off-topic might suggest we are starting to lose the plot a bit.

I use Facebook to help promote a charity that I’m involved with, for example by publicising events. I don’t put any personal information on FB and I have no Facebook Friends. If someone asks a question I’m happy to provide an answer but usually someone gets there before me. It never fails to amaze me how quickly some people read and respond to posts of FB, often replying with supportive comments.

It’s interesting to see what people post on Which? Conversation.

Sometimes contributors have the same username on this and other sites. At one extreme it’s a way of getting round the Terms & Conditions, for example to help make readers aware of a pressure group or a company.

Years ago, one of our former contributors mentioned in different posts the city where he lived and that he was involved in the NGS open garden scheme. In one or maybe more post he gave his full name. It was easy to find his address, phone number and email address. Now there is a personal website describing his interests, so I suspect that the intention was to encourage other contributors to get in touch.

This comment was removed at the request of the user

This comment was removed at the request of the user

Interesting, but it relies on a thermal camera being in exactly the right place over a keyboard and presumably some way of identifying the individual who last pressed the keys. Although the keys that had been pressed could be identified after the event by the thermal camera I couldn’t see how it knew in which order they were pressed. Without a bank card in the slot, or knowledge of it or of the cardholder, the PIN or password is useless, surely?

This comment was removed at the request of the user

This is more to do with offices, I think. An app on an iPhone could accomplish it pretty quickly and easily, but there are far easier ways of getting passwords. Loggers, for one.

I am not saying such a scenario could not occur, Duncan, but it’s pretty unlikely and people must always keep their bank cards in secure places; if they don’t then they haven’t got a leg to stand on. Things must be very slack and casual in some parts of America or among certain sections of the population. Perhaps they get what they deserve.

This comment was removed at the request of the user

This comment was removed at the request of the user

As I understand it, since the General Data Protection Regulation has been incorporated into UK law and is therefore a UK Statutory Instrument, it will endure after we leave the EU. Lots of other EU directives and regulations have similarly been transposed. After Brexit the government can then see which ones to modify or rescind.

This comment was removed at the request of the user

Duncan – thanks – that looks like useful advice for anyone gullible enough to think that “free to access” internet services are only ever funded by rich benevolent billionaires and honest charitable foundations.

I guess your source was: “#1230534: Almost Every Major Free VPN Service is a Glorified Data Farm” on brica.de – i.e. some zero cost bannerware/hurt-and-rescue marketing from a subscription based internet security consultancy.

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user