Blog Archives
Shoulder Surfing & Your Smartphone A Case Study ‘For Your Eyes Only’
For Your Eyes Only
Whilst reading an excellent article this morning in The Age ‘Keeping Out Smart Phone Snoops, by Brian Chen I noted the underlying theme of his article was locking your smartphone, where the article clearly stated: ‘One of the easiest ways to add a layer of security to your smartphone is requiring a password to get past the initial lock screen’.
Having read the article and agreeing with its range of valuable tips on protecting your data in your smartphone, I thought it prudent to bring to subscribers of Cyber Guardians Online the background of a common criminal activity known as ‘Shoulder Surfing‘ that surfaced in the early 1990′s.
Shoulder Surfing
I personally came across shoulder surfing as a Federal Agent, where as one of the inaugural members of the newly formed Computer Crime Unit in Sydney, a significant file came across my desk involving an Australian traveling on business in New York City and coming home to a home phone bill in excess of $2 Million. It was early in the 1990′s, pre mobile phones, where travelers could opt to link a home phone account to a ‘Calling Card‘. Calling cards were great, go to any phone in the world, call a local dedicated number and either tell the operator or on some occasions just key in your calling card number and personal identification number (PIN) to make a call anywhere and have it recorded on your home phone bill.
One major problem back then was that phone companies did not have safeguards built in to detect simultaneous calls from the same calling card that were being made from various locations around the globe and as such fraud was rife. The manner in which the fraud was conducted was quite simple, all one had to do was obtain the calling card number and PIN and all calls were made at the account holders expense.
Free international phone calls in a multicultural city like New York City was a commodity that was extremely valuable on the black market, where a person with just one calling card number and PIN could on sell the details hundreds of times a day usually for $20 and of course the purchaser of that calling card number and PIN would also then on sell the details as well. Furthermore, the illicit transaction could be guaranteed with all parties ‘testing’ the cards validity at a local phone box.
Obtaining the Account Number and PIN
As you could imagine obtaining calling card details became very lucrative and this is where criminal enterprises resorted to some basic surveillance 101 tactics of which I will refer to here in dot point form:
- Standing behind the person at the payphone and memorizing the persons account number and PIN (clearly an apprentice card counter in the making)
- Using telephoto lenses and video taping persons entering personal details into the payphone
- Standing close by or on the other side of the row of payphones in airports, bus interchanges and railway stations and writing down account details and PIN’s as customers spoke to a calling card operator.
As you can see it was not that hard to obtain such personal details and turn a simple few numbers into a positive cash flow operation within minutes and generally the card would remain active until the unsuspecting victim received a telephone bill he/she could not jump over.
Yes, phone companies became smarter over time and introduced safeguards similar to what banks have in place now with ATM card transactions. However, the above scenario was the breeding ground for producing ‘Shoulder Surfing’ experts who now operate with a view to obtaining your mobile/cell phone after securing your PIN from Shoulder Surfing.
Locking Your Phone Is Not Enough
Hence the underlying theme of this post is to warn you that locking your phone with a PIN is your first level of defense, your PIN needs to protected with vigilance. How many times do you sit in the open and enter your PIN without covering your actions whilst:
- At Bus/Train stops?
- On public transport?
- At bars/cafes?
- Walking along crowded streets?
- Opposite a work colleague?
Furthermore, how many of you have your mobile/cell phone PIN’s set the same as your bank ATM cards? Surprisingly a high majority do so and this opens a whole new Pandora’s box, with ATM and credit card fraud.
All it takes is for the person who has acquired your phones PIN code to obtain your phone and ATM cards either through pickpocketing, bag snatch and or surveilling you home or to work and obtaining your phone and cards where at times you may not notice the theft until the morning or at the end of your workday. The domino effect can lead to your suffering severe financial loss as banks are reluctant to reimburse funds to persons who do not protect PIN numbers.
Finally what other data is stored on your phone as The Age article highlighted and as indicated here in this post, crime gangs the world over have had years to perfect the simple art of ‘Shoulder Surfing’ and it is re-emerging as a criminal activity that will capitalize on unsuspecting citizens going about their daily business.
Reference
The Age, Chen, B., Sunday April 5 2013,
For Your Eyes Only
Location Stalking & Social Media
Stalking is clearly defined under criminal codes around the world and a good example of the definition of ‘stalking‘ can be found at Section 21(A) of the Crimes Act 1958 (Vic) as outlined in this link.
http://www.austlii.edu.au/au/legis/vic/consol_act/ca195882/s21a.html
Upon review of the legislation relating to stalking it appears to be a broad piece of legislation that has moved with the times to ensure it also covers a course conduct that involves the use of the internet. It is quite clear that under Section 21(A)(2)(ii) that a person who “arouses apprehension or fear in the victim for his or her own safety or that of any other person-with the intention of causing physical or mental harm to the victim to the victim. including self harm, or of arousing apprehension or fear in the victim for his or her own safety or that of any other person” can be deemed to be stalking.
As a practising Attorney I have recently been involved in several matters where Magistrates have referred to ‘stalking’ and it is one of the conditions set in domestic violence or personal safety intervention orders, however law enforcement bodies have limited resources to investigate stalking offences in general.
Whilst the law is quite clear with regards to ‘stalking’ the reality is enforcing such legislation is quite onerous on law enforcement and it appears that only in extreme cases will such matters proceed to court.
It is here that I would like to focus on ‘location stalking’ which whilst it applies to the general public at large it is extremely prevalent amongst celebrities, sporting stars and various other public figures and with social media use being adopted by society the opportunities for persons that engage in such activity will also increase.
The majority of social media users are aware that under various privacy settings in Facebook, Twitter, Instagram and the like that individual location geocodes(1) can be turned off therefore the exact location is not highlighted on a map for all to see. However, where people want to share a momentous occasion or just share a picture for their ‘friends, family, followers, subscribers and fans to see that one picture may in fact identify their exact location.
As a business decision to understand my law practice area and for other parts of my business where my market is heavily involved in social media I am an avid user of social media and use Facebook, Twitter and Instagram where I ‘follow’ or ‘fan’ a variety of persons, celebrities, sporting stars and businesses. Most I must say as mentioned previously are conscious of having privacy settings set so that their exact location is not revealed, however simple photographs can give away locations to persons who may be set on ‘stalking’ that individual.
I can appreciate how sporting stars and celebrities are using social media as a way to get their personal ‘brand’ out there and it is imperative that they use social media in a manner that encourages growth of their ‘fan’ base it must however, be front of mind that some photographs that they want to share may best be ‘posted’ 24 hours or so after the event so not to give away their current location.
Constantly I see persons who are very protective of their privacy for security purposes post photographs of locations that to most people in the area would know the location and as an example I have posted my favorite picture of my preferred hotel for when I am in Sydney, the Intercontinental. It is here, this morning I awoke to see a sporting star that I ‘follow’ on Instagram post a picture that was taken at this particular hotel. For the sporting stars ‘privacy’ I have not posted her ‘picture’ but have posted a picture that reveals how a ‘picture’ can pass on your exact location.
Not only can iconic locations give your position away, general landmarks, backdrops of freeway/interstate highways, buildings etc can also assist persons who are set in their ways on ‘stalking’ or just finding out your location, whether it be your workplace, home or favourite restaurant or bar.
We cannot live our lives in ‘bubble-wrap’, we can however be mindful that whilst sharing pictures on social media is part of everyday life for a lot of people, personal safety is an area that needs to be considered before every ‘posting’.
(1) For geographical data to be stored on a map it requires a geocode that contains the address in detail.
Trial By Social Media
It has been well documented lately that uploading compromising pictures can have lifelong consequences. Images depicting drunken behaviour, explicit sexual activity to attending sporting events or social activities whilst on ‘sick leave‘ can all have lifelong consequences.
Lord Leveson of the United Kingdom recently spoke at a privacy seminar in Sydney recently and given he led the inquiry into the British phone hacking scandal he is well qualified to remind us of ‘trial by social media‘ and its consequences.
The following article in the The Age Newspaper clearly identifies this digital age phenomena that is gripping our society and ruining the lives of school children, adolescents and adults alike.
Awareness, education and communication are paramount tools in the fight against the surge in ‘trial by social media’ and the more aware we all are of the ramifications of inappropriate social media activity the less damage will be incurred by all.
English: Infographic on how Social Media are being used, and how everything is changed by them. (Photo credit: Wikipedia)
Bradley W. Deacon
