It is difficult to stay out of the access zone in our digital time. A hermit can have an emergency phone number, and a dog, although not every one, has an Instagram account.
The penetration of social networks and means of communication into our lives could be extremely positive if it did not lead to a lot of sad consequences. From calls from fake Sberbank employees with a request to dictate a password from SMS, and to collectors suddenly demanding to repay a loan issued on your passport.
In recent years, there has been a trend towards privacy and protection of user information: GDPR, CCPA, LGBD. The companies were obliged to take care of the safety of personal data and to prevent their leaks. But did they start collecting less information about us? Absolutely not. For them, our data is a source of profit.
But the tightening of legal norms for companies is not enough. You probably left a lot of "bread crumbs", because it's not the first year on the Internet. Old accounts, ads, public correspondence, photos. Following these traces, you can come close to you and use it for any purpose.
Interesting fact: in 2017, a journalist found the anonymous accounts of the FBI director in just a couple of hours. It was enough to get a tip about his existence, information about his son and about his thesis in theology.
A huge array of data about people, which can be easily collected by improvised means, has led to the popularity of OSINT, a methodology for collecting data from open sources. Often, this term now means means of spying on people, although initially it is an intelligence methodology. Any means can be used for both good and bad purposes — this should not be forgotten.
Therefore, it is important to have Counter-OSINT tools to protect your data and ensure privacy.
Let's analyze simple but effective steps that will make it very difficult for an outside observer to collect information about you. With specific points and actions.
The guide will be useful to a wide range of interested people — not only those who have heard something about OSINT, but also friends, acquaintances, parents. An investment of half an hour for thoughtful reading and conscious actions will bring peace of mind and protection from fraud, surveillance, harassment, blackmail.
At the same time, we will not neglect convenience. Many managers concentrate on protecting themselves to the maximum (even if it is not justified). We will proceed from the need to maintain a balance between privacy and convenience, in which the use of the Internet will not be complicated.
Let me remind you that OSINT is the collection of information from open sources. But, unfortunately, such sensitive data as databases of phone numbers, passport data and so on often get into the Network.
Moreover, in the Russian Federation, through "background check", you can get detailed information about the owner of a phone number, car, apartment from official state registers and databases. Unfortunately, many people are willing to provide access to what should be carefully protected for money.
We will take this into account: it is impossible to ensure complete anonymity and remove yourself from all registries, but it is possible to complicate the search process so much that an attacker will not be able to cling to the information.
Thus, the purpose of the guide is to teach how to protect publicly available information and complicate the process of finding other information about you.
To understand which data is more important and what should be protected more, it is necessary to know modern realities adjusted for Runet. We will analyze this further, and to try to be objective, we use OPSEC.
The term OPSEC, like OSINT, came from American intelligence. It means the process of analyzing and protecting critical information.
To begin with, let's list all the primary data that somehow reveal our identity, but exist physically outside the Internet.
- Last name, first name, patronymic
- Date of birth
- Passport data (series, number, etc.)
- Physical address
- Personal documents (driver's license, etc.)
- Biometric data
- Other personal and identifying information
There is not much such data. But, having at least a part, you can pretend to be you and deceive third parties. For example, send a message to friends asking them to urgently transfer money due to a difficult situation.
At the same time, scammers will not necessarily be interested specifically in your identity. For example, they can buy a database and hundreds of "fresh" passports to link passport data to QIWI e-wallets to increase the limits on money withdrawal.
Any personal data may be used. For example, restoring access to social media accounts often requires answering a security question. Thus, knowing your mother's maiden name or your favorite musician increases the chances of hacking you.
Interesting fact: a high-profile case occurred in 2012 capture 4 accounts of a person at once with knowledge of only the address, name and email. An elegant chain of restoring access — first using known data, then linking fake ones — allowed you to first get access to Amazon, GMail, Apple, Twitter, and then remotely erase data from a person's devices.
Perhaps you were confused by the item "biometric data", but, alas, their use has long entered our lives. Face search tools have long been common, which use the same technologies as for unlocking a personal phone through the front camera, as well as extensive databases from social networks. When you post your photo online, you leave an opportunity to find yourself.
In accordance with the OPSEC process, we will analyze who may be interested in such actions and how they can use information about us. Let's look at the popular cases of using primary data in the diagram below and try to draw conclusions.
What can be done with our data? Surely you have noticed that most of the items are related to receiving money. I think the financial motivation of scammers does not require an explanation. The only thing to note is that money can be stolen not only from you, but also from other persons. In this case, participation in the criminal process becomes critical for us, where both the witness and the accused can be involved.
The benefits of collecting complete information about you, including access to correspondence, are less defined. This can be both domestic harassment, and espionage, blackmail, and so on. It is only clear that in most cases it is causing personal harm and invasion of privacy.
These threats are understandable and understandable, and in many cases regulated by law. It makes no sense to list articles related to financial losses, there are so many of them; and the collection of personal data is 137 of the Criminal Code of the Russian Federation. However, let's face it: it takes a serious reason to go and force the initiation of a case on your own, and participation in such processes is stressful. Therefore, let's return to the position already voiced above: our goal is to protect our data and avoid threats.
Obviously, knowledge of the primary data is not enough to conduct fraudulent schemes. These methods are based on social engineering and involve remote interaction through a call or messages. That is, we implicitly mean that our detractors already know our secondary data, virtual identifiers — phone number, email, social network account address. Thus, getting information about this data carries no less threat.
Each of the data types will be described in more detail later. In the meantime, let's leave our attention on the fact that the more data falls into the wrong hands, the more serious the outcome may be. Hence the conclusion — the amount of data about you must be controlled, do not scatter them where it should not be and monitor their use.
Let's talk about digital hygiene.