Thwart my OSINT Efforts while Binging TV!

There’s been a bit of a social media uproar recently about the data collection practices of people search service FamilyTreeNow. However, it’s certainly not the first, only, (or last) service to provide potentially uncomfortable private information about people on the internet without their knowledge or consent. Even the most technologically disconnected people are frequently searchable.

In conducting OSINT research on people, services like FamilyTreeNow are often a gold mine, and are one of my first stops when I’m searching out useful facts to pivot into more intimate details about a target. Do you really want any casual stranger to know your home address, phone numbers, email addresses, and the names and ages of your kids? While disappearing from the internet completely can be nigh impossible, spending a little time removing easily accessible data can cause frustration and extra work for a nefarious (or nosy) person investigating you. I speak from experience. So, it’s worth taking some time to do, as we always want to make bad guys and gals’ lives harder.

So, grab a snack and a beverage, queue up a TV show to binge watch, and let’s make some quick and easy wins in helping you disappear from the malfeasant public eye. I’ll only ask you do five quick tasks per episode. You can do them during the boring parts.

Before we start, I highly recommend setting up a new webmail account to perform these removals. Almost all of the services require an email to opt out, and many require account registration. Since we’re dealing with firms that collect information about people, it’s sensible to avoid using your day to day or work email.

One last thing! It’s important to remember these services are not always accurate. You may have more than one entry for yourself at any of these services. Make sure to check!

Let’s begin!

  • Let’s get the aforementioned FamilyTreeNow out of the way. Their opt-out form is here: https://www.familytreenow.com/optout. They’ll require you to search for yourself through the opt-out page then click a red “opt out this record” at the top of your entry. (You must repeat this process from the start for every profile you wish to remove.)
  • Next, let’s head over to Instant Checkmate. Their Opt Out form is here: https://www.instantcheckmate.com/optout/ and requires you enter a name, birth date, and a contact email address.
  • We’ll head over to PeekYou, next, which requires you search their database first and provide the numeric profile ID in your page(s) URL, as well as an email address. Their opt out page is: http://www.peekyou.com/about/contact/optout/
  • Next up is Spokeo. You’ll once again need to search for yourself, but this time all you need to do is copy the full URL of your page(s). Then, head here: http://www.spokeo.com/opt_out/new, paste that link and enter your email address.
  • Let’s head to BeenVerified’s opt out page at https://www.beenverified.com/f/optout/search. Simply enter your name and location, select your entry or entries, enter your email, and click the verification link that is immediately sent to you.

SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • So, Whitepages has two different types of profiles – free and paid, and they seem to have little to do with one another in terms of removal. For the free side, you’ll have to sign up for their service to remove entries, (which includes email verification). Once logged in, you simply need to paste the link to your entry here: https://secure.whitepages.com/me/suppressions.
  • For Whitepages Premium, you must open a quick support ticket with their help desk. Full details and the Help interface are here: https://premium.whitepages.com/help#about. You will need to copy and paste the link to your premium profile in the ticket (not the free Whitepages entry).
  • Let’s head over to PeopleFinders, http://www.peoplefinders.com/manage/. This one’s super easy; just use the search box to find your profile, and then click the opt-out button.
  • PeopleSmart is also relatively simple. Search for yourself at https://www.peoplesmart.com/optout-go. You will need to enter an email address and click a verification link.
  • USA People Search’s opt out page is here: https://www.usa-people-search.com/manage/ and simply requires clicking your profile and entering a captcha.

 SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • Let’s head to Radaris, at https://radaris.com/. Search for yourself. Click “full profile”, then click on the down arrow to see the full menu of options. There is one that states “Control Information”. This will prompt you to register for an account with their service and claim your profile as yourself. Once you have done so, you will have the option to “Remove Information” or take your aggregated profile private, at any time.
  • The last information service we’ll tackle today is Peoplelooker, at https://www.peoplelooker.com/f/optout/search. Once again, a relatively easy opt-out process using a verification email.
  • Finally, let’s do a little social media cleanup!
    • If you have a Facebook account, perform a Privacy Checkup. It won’t take too long. Ensure your posts and likes are as private as possible.
    • If you use Google or YouTube services, perform their Privacy Checkup. Once again, ensure nobody but the right friends and family can see your activity.
    • Head to LinkedIn. On the header menu, select Privacy & Settings, then select the “Privacy” tab. Consider how much sensitive detail you are providing about your workplace, their tools and processes, and yourself. Consider restricting certain data on your profile to only connections and members.

Good work! Enjoy the rest of your snack and your show! Be proud that you’ve done some good work cleaning up your public presence, today.

***

It’s important to note that I’ve left a couple services out of this guide that are referenced in other comprehensive lists, (like this one), due to the complexity and frustration of removing data from their services. Notable examples, Intelius (and their many subsidiaries) and US Search unfortunately require a form and photo ID for information removal – the latter by fax or snail mail(!) So, while we won’t tackle these removals while we watch TV and enjoy a nice cold beverage, they are something to consider addressing with a little time and during business hours.

If you are in a sensitive situation and need a clean slate as soon as possible, I do recommend considering a paid data removal service like Abine.

 

101 Ways I Screwed Up Making a Fake Identity

As most of you know, my professional area of expertise in security is incident response, with an emphasis on system / malware forensics and OSINT. I’m fortunate enough in my position in the security education and con community to sometimes get pulled into other directions of blue teaming and the occasional traditional penetration testing. However, the rarest of those little fun excursions are into the physical pen testing and social engineering realm. In the breaking into buildings and pretending to be a printer tech realm, I’m merely a hobbyist. 🙂

Therefore, it was a bit remarkable that in the course of developing some training, there was a request for me to create some fake online personas that would hold up against moderately security savvy users. I think most of us have created an online alter ego to some extent, but these needed to be pretty comprehensive to stand up to some scrutiny. Just making an email account wasn’t going to cut it.

So Pancakes went on an adventure into Backstop land. And made a lot of amusing mistakes and learned quite a few things on the way. I’ll share some of them here, so the social engineers can have a giggle and offer suggestions in the comments, and the other hobbyists can learn from my mistakes. Yes, there are automated tools that will help you do this if you have to do it in bulk for work, but many of the problems still exist. (Please keep in mind that misrepresenting yourself on these services can cause your account to be suspended or banned, so if you’re doing more than academic security  education or research, do cover your legal bases.)

What I messed up

I’m not going to waste everybody’s time talking about how to build a unremarkable and average character in a sea of people or use www.fakenamegenerator.com, nor how we always set up a VM to work in to avoid cookies and other identity leakage (including our own fat fingering). Those have been discussed ad infinitum. Let’s start with what happened after those essentials, because creating a good identity is apparently a lot more involved..

  • It pretty much required a phone number from the get go. I spun up my VMs and created the base sets of email and social media accounts that an average internet user might have, but Twitter was on to me from the start. I wasn’t planning on involving a phone for 2FA at all, but their black box security algorithm tripped in seconds and made me use a phone to enable the first account. So, I’m pretty much terrible. Granted, there are plenty of online services that will give you a phone number, and I could have burners if I felt the need, but it added a layer of complexity. In a good move, it looks like most of social media is now spamming new users to enable 2FA.
  • My super authorial D&D skills at creating dull people in big towns and reposting memes weren’t enough. I had to make friends and meet people to make the profiles pass as real. I knew that was going to be a challenge, but I didn’t expect it to become such a thought problem.
    • Twitter was the easiest once I fleshed out the characters and followed a bunch of accounts they would like, then people following those accounts. Some people just follow back folks who aren’t eggs (I do). I quickly had 40 or 50 followers on the dummy accounts. I’m apparently big in the vegan cooking scene now.
    • LinkedIn wasn’t too bad once somebody clued me into (LION) tags and good old 2000+ connection recruiter accounts. The people who participate in that essentially connect with anybody, regardless of the normal LinkedIn security and privacy rules about knowing people personally. So after making decent profiles, I just had to find a couple people with the tag, then fork out through 2nd degree connections in their vast networks to the correct industries and regions. Of course, I had to do a bit of strategic plagiarizing from other people in my characters’ professions’ skills sections to build believable people, first. (We have yet to see if they got any recruiter messages, but none of them had really lucrative careers.)
    • Facebook was actually the one I struggled with the most, because you really need a starting point in your network to even add other people. I talked to a lot of security folks about my woes there and they made some good suggestions. The first was to play some Facebook browser games for a few minutes (I feel like my time with Candy Crush was worse than the dark web), then go to their community pages and plead “add me”.  Again, people cheating the security / privacy system make it easy to gain a foothold. A couple popular games got me 50-100 friends, and from there by using Facebook’s lovely verbose search system, I could move my network into the regions that my personas “lived in”. For instance, if the character were from Chicago I would search for friends of friends of the connections I had made for people in Chicago, and those people were much more likely to add me because I was a “friend of so and so”. The other effective strategy people gave me was to present myself as an ardent fan of a sports team or political party in article comments. That worked pretty well, but not as fast as the games.
    • Once I had some “friends” on Facebook, moving into specific workplaces and schools wasn’t too hard. Public Facebook Events at those institutions and their associated venues provide lists of lots of people to add who were almost certainly physically present. Again, once I had a few connections in that circle, it became exponentially easier to add more.
    • Pinterest, YouTube, and Meetup were pretty easy – there’s really not a lot of verification of users there, by design. I liked them for this because they’re very public and tie the other social media profiles together nicely. I confess that I did lose my nerve when Meetup group sign up forms asked me detailed questions about my “kids” or my “spouse”, and stuck to ones that weren’t so intrusive, because that just felt creepy (says the woman who looked up a cached copy of your 2004 MySpace page).
  • I don’t normally feel guilty when I’m hacking somebody in a pen testing engagement (it’s for a good cause), but I did feel a little weird and guilty interacting with unwitting strangers on the internet as other people. It definitely took me out of my comfort zone – not only did I have to role play other personalities with wildly different views, but I had to shake my normal security paranoia to do stuff like click “add friend” a lot without hesitation and leak data through privacy settings, strategically.
  • I really had to commit to one character at a time to develop them into a person.
  • Even in a clean VM, there was still apparent tracking to my IP space on LinkedIn! I didn’t bother to use a proxy or a public connection for an educational endeavor, but if I had to flee the mafia or something I would certainly keep that in mind. Internet advertisement tracking is insidious and possibly scarier than any nation state actor.
  • Photos are everywhere yet were strangely really hard to come by. Fake identity creating sites like https://randomuser.me/ provide profile pictures, but anybody half decent at OSINT will immediately reverse image search a suspicious profile’s picture. Their stock art photos have been so abused that searching any one at random provides a trove of suspect business reviews and fake LinkedIn profiles (a blog of its own…). Again, since this was a legal and ethical endeavor, I just used a collection of donated (previously unposted) photos from friends, heavily visually filtered and transformed. Even that required a lot of careful checking for metadata and visual clues that tied them to a location. I’m sure there are more expensive stock art photo sources that are less abused, but I’m not sure how ultimately virginal even their photos are. Maybe I should invest in a good wig and glasses.
  • This was time consuming, and I can see it becoming incredibly time consuming, which is the reason you use tools to automate the wits out it if you do it regularly as a penetration tester. Facebook and Twitter timestamp content, and comprehensive ways around that are the kind of things social media companies give out hefty bug bounties for. On Twitter, you can retweet a years worth of old tweets in temporal sequence, but that will never change your publicly visible account creation date. Similarly on Facebook, you can manually change the date and location of posts, but your account creation date is still pretty easy to see based on other time data and your profile ID number. Ultimately, there seems to be no substitute for good old months and years of the account existing. If somebody has a work around they’d like to share, I’m all ears.

What we can learn about OSINT and defense from this exercise

  1. Not new, but always good to reiterate: people bypassing security and privacy controls for convenience is a really big security issue. People who blatantly bypassed the personal connection requirements on Facebook and LinkedIn made my job a lot easier. If nobody had accepted my fake characters’ invites on social media, I would have been pretty stymied and stuck buying followers or building my own network to be friends with myself.
  2. As an adjunct to #1, be mindful of connections via one of these “wide open” social media accounts (many hundreds of connections, or an indication they don’t screen requests in their profiles).
  3. Reverse image search the photo, all of the time. Maybe on two sites! This should be something you do before dating somebody or making a business deal, just like googling their name. No photos are, as always, a red flag.
  4. Check the age of social media profiles even if they look verbose and well defined. Stealing other peoples’ bios is easy.
  5. Never be connection #1, #2, or #3 to a profile you don’t recognize (you enabler).
  6. Don’t accept connection requests from Robin Sage, (or anybody else who presents themselves as a member of your community with no prior contact).
  7. In fact, don’t accept friend invites from people you don’t know even if they have 52 mutual friends and “go to your school”. I had 52 mutual friends and was bantering with the school mascot about a sportsball team I’ve never heard of, in a few minutes.
  8. Look for some stuff that’s deeper than social media and typical web 2.0 services when you’re investigating a person. My typical OSINTing delves into stuff like public records, phone and address history, and yes, family obituaries. Real people leave more artifacts online over the course of their lives than merely things that require a [Click Here to Sign in with Facebook], and the artifacts I listed are harder to fake quickly.
  9. Forget trust, verify everything.

The $5 Vendor-Free Crash Course: Cyber Threat Intel

Threat intelligence is currently the trendy thing in information security, and as with many new security trends, frequently misunderstood and misused. I want to take the time to discuss some common misunderstandings about what threat intelligence is and isn’t, where it can be beneficial, and where it’s wasting your (and your analysts’) time and money.

To understand cyber threat intelligence as more than a buzzword, we must first understand what intelligence is in a broader sense. Encyclopedia Britannica provides this gem of a summary:

“… Whether tactical or strategic, military intelligence attempts to respond to or satisfy the needs of the operational leader, the person who has to act or react to a given set of circumstances. The process begins when the commander determines what information is needed to act responsibly.”

The purpose of intelligence is to aid in informed decision making. Period. There is no point in doing intelligence for intelligence’s sake.

Cyber threat intelligence is not simply endless feeds of malicious IP addresses and domain names. To truly be useful intelligence, threat Intel should be actionable and contextual. That doesn’t mean attribution of a set of indicators to a specific country or organization; for most companies that is at the best futile and at the most, dangerous. It simply means gathering data to anticipate, detect, and mitigate threat actor behavior as it may relate to your organization.  If threat intelligence is not contextual or is frequently non-actionable in your environment, you’re doing “cyber threat” without much “intelligence” (and it’s probably not providing much benefit).

Threat intelligence should aid you in answering the following six questions:

  1. What types of actors might currently pose a threat to your organization or industry? Remember that for something to pose a threat, it must have capability, opportunity, and intent.
  2. How do those types of actors typically operate?
  3. What are the “crown jewels” prime for theft or abuse in your environment?
  4. What is the risk of your organization being targeted by these threats? Remember that risk is a measure of probability of you being targeted and harm that could be caused if you were.
  5. What are better ways to detect and mitigate these types of threats in a timely and proactive manner?
  6. How can these types of threats be responded to more effectively?

Note that the fifth question is the only one that really involves those big lists of Indicators of Compromise (IoCs). There is much more that goes into intelligence about the threats that face us than simply raw detection of specific file hashes or domains without any context. You can see this in good quality threat intelligence reports – they clearly answer “what” and “how” while also providing strategic and tactical intelligence.

I’m not a fan of the “throw everything at the wall and see what sticks” mentality of using every raw feed of IoCs available. This is incredibly inefficient and difficult to vet and manage. The real intelligence aspect comes in when selecting which feeds of indicators and signatures are applicable to your environment, where to place sensors, and which monitored alerts might merit a faster response. Signatures should be used as opposed to one-off indicators when possible. Indicators and signatures should be vetted and deduplicated. Sensibly planning expiration for indicators that are relatively transient (like compromised sites used in phishing or watering hole attacks) is also pretty important for your sanity and the health of your security appliances.

So, how do you go about these tasks if you can’t staff a full time threat intelligence expert? Firstly, many of the questions about how you might be targeted and what might be targeted in your environment can be answered by your own staff. After your own vulnerability assessments, bring your risk management, loss prevention, and legal experts into the discussion, (as well as your sales and development teams if you develop products or services). Executive buy-in and support is key at this stage. Find out where the money is going to and coming from, and you will have a solid start on your list of crown jewels and potential threats. I also highly recommend speaking to your social media team about your company’s global reputation and any frequent threats or anger directed at them online. Are you disliked by a hacktivist organization? Do you have unscrupulous competitors? This all plays into threat intelligence and security decisions.

Additionally, identify your industry’s ISAC or equivalent, and become a participating member. This allows you the unique opportunity to speak under strict NDA with security staff at your competitors about threats that may impact you both. Be cognizant that this is a two way street; you will likely be expected to participate actively as opposed to just gleaning information from others, so you’ll want to discuss this agreement with your legal counsel and have the support of your senior leadership. It’s usually worth it.

Once you have begun to answer questions about how you might be targeted, and what types of organizations might pose a threat, you can begin to make an educated decision about which specific IOCs might be useful, and where to apply them in your network topology. For instance, most organizations are impacted by mass malware, yet if your environment consists entirely of Mac OS, a Windows ransomware indicator feed is probably not high in your priorities. You might, however, have a legacy Solaris server containing engineering data that could be a big target for theft, and decide to install additional sensors and Solaris signatures accordingly.

There are numerous commercial threat intelligence companies who will sell your organization varying types of cyber threat intelligence data of varying qualities (in the interest of affability, I’ll not be rating them in this article). When selecting between paid and free intelligence sources (and indeed, you should probably be using a combination of both), keep the aforementioned questions in mind. If a vendor’s product will not help answer a few of those questions for you, you may want to look elsewhere. When an alert fires, a vendor who sells “black box” feeds of indicators without context may cause you extra time and money, while conversely a vendor who sells nation state attribution in great detail doesn’t really provide the average company any actionable information.

Publicly available sources of threat intelligence data are almost endless on the internet and can be as creative as your ability to look for them. Emerging Threats provides a fantastic feed of free signatures that include malware and exploits used by advanced actors. AlienVault OTX and CIRCL’s MISP are great efforts to bring together a lot of community intelligence into one place. Potentially useful IoC feeds are available from many organizations like abuse.ch, IOC Bucket, SANS ISC DShield and MalwareDomains.com (I recommend checking out hslatman’s fairly comprehensive list.). As previously noted, don’t discount social media and your average saved Google search as a great source of Intel, as well.

The most important thing to remember about threat intelligence is that the threat landscape is always changing – both on your side, and the attackers’. You are never done with gathering intelligence or making security decisions based it. You should touch base with everybody involved in your threat intelligence gathering and process on a regular basis, to ensure you are still using actionable data in the correct context.

***

In summary, don’t do threat intelligence for the sake of doing threat intelligence. Give careful consideration to choosing intelligence that can provide contextual and actionable information to your organization’s defense. This is a doable task, possible even for organizations that do not have dedicated threat intelligence staff or budgets, but it will require some regular maintenance and thought.


Many thanks to the seasoned Intel pros who kindly took the time to read and critique this article: @swannysec, @MalwareJake, and @edwardmccabe

I highly recommend reading John Swanson’s work on building a Threat Intel program next, here.

The Top 9 Ways I Found Your ‘Secret’ Dating Profile

  1. You reused a cute username (or email address).

Aliases and usernames have become a big part of our personal online presence, and we often feel tied to them when we register for new sites and services. This can be a great was to build an online identity, but it can also make it trivial to tie our activity on various services together.

Even if your registered username isn’t immediately visible in a dating profile, it’s often visible in the URL of your profile, your profile photo filenames, or during communication with other users.

There are plenty of free and paid services which search and monitor social media and email accounts by username. Pipl is a great example. It will rapidly scan popular sites and services for email addresses, usernames, names, and phone numbers to build a comprehensive profile of a person.image002

Namechk.com performs a broader sweep of services for usernames only, immediately flagging services where a particular username has been registered. This is an easy way for someone with malicious intent to draw connections between a dating site profile username and your ‘real’ life, even if your profiles are correctly private or hidden.

image004

The very simplest, a Google search will often turn up social media profiles, forum posts, and blog comments tied to a particular username. If you’re concerned about dating site matches finding your online presence, or people online finding your dating profile, just don’t reuse usernames or email addresses!


 

  1. You reused profile pictures.

A few years ago, image recognition on a large scale was restricted to law enforcement and corporate security. This isn’t true anymore. Free services like Tineye and Google Images will search billions of indexed images on the internet for identical or similar pictures. This isn’t necessarily traditional hash or metadata specific – cropping or resizing an image is not a foolproof way to defeat this (as I show in the screenshot below, where Tineye and Google correctly identified my profile selfie which is substantially cropped on social media). The photos are visually similar enough that the search engines’ algorithms can draw a connection.

image006image008

Ultimately, this means that if you are interested in privacy, you should never reuse a photo or set of photos that you’ve used elsewhere on the internet (at any time) on your dating profile. Choose where to use your glamour shots, wisely!


 

  1. You forgot to check and sanitize your pictures.

Reuse isn’t the only situation in which photos can compromise your privacy. There are two sets of clues that can give away important personal information in your photos. The first are old-fashioned visual clues. Consider: is there a window in your photos, and are there identifiable buildings or landmarks outside of it? Were your photos taken in an apartment building or dorm that can be easily identified in other people’s photos? I highly recommend reading this eye-opening blog on the subject by IOActive. Give some thought to what people can see in your photos’ backgrounds before posting them to your private dating profile.

The second way your photos can betray your privacy is a bit more technical, but still terribly important to recognize. It has to do with hidden information, or ‘metadata’, which is tacked onto most pictures by phones, photo editing software, and digital cameras. You can’t see EXIF metadata without using special tools, but it may contain startling amounts of information about where the photo was taken, by whom, and when. This exists primarily to help out professional photographers and photo storage tools.

image010

I took this pretty photo at Disney World. Let’s look at some of the data hidden inside of it:

Create Date                     : 2016:02:20 20:01:04
Make                              : Samsung
Orientation                     : Horizontal (normal)
Flash                               : No Flash
Focal Length                   : 4.3 mm
GPS Position                   : 28 deg 21′ 27.100″ N, 81 deg 33′ 29.71″ W

Even with location geotagging disabled in your camera settings, metadata still provides a tremendous amount of detail about you and your devices, and can even uniquely identify photos taken with your camera. (The use of photo editing tools also becomes blatantly obvious, which can be a cause for some embarrassment.) Ensure you remove identifying metadata from photos before posting them onto your dating profile.


 

  1. You forgot that the internet is forever.

If I were forced to pick only one error which causes dating site members the most personal embarrassment over the long term, it’s forgetting this. A single mistake made months earlier can haunt you. Let’s imagine that before reading this article you uploaded your professional headshot to your dating site profile. You realized a few days later that it was too much of a privacy give-away, and made the wise choice to switch to a new photo. You might not be out of the woods.

Search engines and archive sites are continually indexing as much content as they can from the internet. These sites retain cached copies of images and pages long after they are changed or erased at the original source.

Somebody with malicious intent may use this to their advantage when trying to correlate your dating profile to other web content. He or she will very likely check search engine caches for old pictures or bios that are easier to identify or contain embarrassing details. If that professional headshot is still in a cache associated with your dating profile, he or she can use Tineye to match it to your corporate bio that shares the same photograph. If you’ve changed your username, he or she may be able to find the previous version.

Unfortunately, this isn’t an easy thing to fix after the damage is done. The bottom line is: assume that anything posted to the internet is perpetual, and usually cannot be removed (even through legal action). If you post data which compromises your privacy or reputation to your profile, remove it immediately and consider starting fresh with an entirely new profile. If needed, pursue sites and search engines to remove what they can and will, and disassociate your online identity as much as possible from the content.


 

  1. Minor details tell a larger story about you.

This is open source intelligence 101. The individual facts and conversations you post on dating sites might not give away your identity, but as a collective whole, they may. Give some consideration to how much information you’re giving other users over time and as a whole. Did you post that you live in Milwaukee, tell a user that you live in an apartment with a pool, and tell another that you live next to an airport? These pieces of information put together say a lot more about your location than they do individually.

image012

Pay attention to details. How much information have you posted on your profile over time as you’ve updated it? How much information are you providing in private conversations with other users?


 

  1. Your social media profiles aren’t private enough.

The number one open source intelligence source that people with evil intent will try to use against you, or to identify you, is your social media profiles. You make a malicious person’s life significantly more difficult by simply locking down your social media profiles so that nobody except people you know personally can view them, or that the data that is publicly visible is not enough to provide the attacker an advantage.


 

  1. You joined your social media profile to your dating site account.

We’ve previously discussed the privacy risk posed by sharing photos, usernames, and email addresses between your private dating profile and the rest of your online presence. Linking your social media accounts may be a simple and timesaving way to create an account on many dating sites and apps, but these sites frequently import most of the data we’ve discussed above directly into your dating profile and account. Given all the points we’ve discussed previously, this is obviously not a wise choice.

I highly recommend using an entirely new and separate email account to sign up for a private dating profile. If the site in question absolutely requires linking a social media account, start a new one without unnecessary personal details.


 

  1. You forgot that social engineering (and catfishing) happen, and can happen to you.

No matter who you are, which gender you are, what you do for a living, or how much money you make, you can be a target for fraud or social engineering. Somebody who wants to manipulate or identify you on a dating site may attempt to gain your trust before drawing you into a trap. If something doesn’t feel right, it probably isn’t. If something seems too good to be true, it probably is. Be very cognizant of members leading you into revealing unusual personal details, compromising photos, or financial information. Dating sites are fair game to cyber-criminals.


 

  1. You weren’t aware that you were accepting risk.

Dating online, like the rest of our lives, carries some inherent risk. The level of risk associated with joining a dating site and interacting with others on that site varies by each individual’s situation. For example, this risk may be to your reputation if your profile (or behavior with other users) were publicized, or to your personal safety if your location or identity were compromised.

Online dating is a great option for many people and many healthy relationships exist today because of it. You must simply consider what level of risk you’re willing to accept before doing it. Even if you are meticulous in protecting your online presence, there will always be circumstances outside your control. What would the consequences be if the site were breached, and your identity and interactions were posted online or sent to your employer or family? If somebody successfully identified you, how easy would it be to find your street address or place of business? Like any other activity that carries some significant risk, you must consider these types of questions and make your own informed decision.