As Marcus Brigstocke has happily explained to all of us in the recent Experian adverts, each one of us is represented online by a “data self” comprised of the sum of our interactions with social media and other internet companies. In reality, your data self is not an exact replica of you. Instead, depending on what data a given company or database holds about you, your data self will appear slightly differently – some data selves may be fully fleshed out, whereas others are just sketches, depending on the data aggregation capabilities of the database or company.
It is important to remember that while each individual piece of data may seem inconsequential and meaningless, particularly at the point when you chose to provide it, companies or others can use these interactions to construct an impression of you, turning the individual points of data into information that can be useful to them. Instead of one replica data self, it is perhaps more accurate to envisage an army of more-or-less accurate data selves, spanning across the internet.
These data impressions can then be exploited and sold for financial gain, both legitimately and illegitimately. Companies such as Google and Facebook, who trade your data on a daily basis, have (generally) gained your consent to do this, even if you did not really read the Terms and Conditions by which you consented. In contrast, hackers and those who profit from our data illegally have no right to access the data, but can equally be considered as data merchants. To profit from your data, hackers can sell the data to others who also wish to use your data illegally or can themselves use the data obtained to impersonate you across multiple platforms in order to gain further information that may be valuable.
As a society, we are still coming to terms with the impact of “Big Data”. However, there is an increasing awareness of the potential value of data, both for individuals and companies. The recent introduction of the General Data Protection Regulation (GDPR) is but one marker of the increasing pressure on governments to crack down on those who wish to profit from your data without consent or any legal right; a pressure that has contributed to some ground-breaking cases for authorities.
Take the example of Grant West, recently jailed after exploiting customers of the website Just Eat, among others. West, who obtained tens of thousands of customer email addresses through various schemes, used those details to compromise accounts across multiple sites, eventually building a database of “data selves”, which he sold on the now-defunct dark net site Alpha Bay. In this case, the police seized in excess of £0.5m in assets obtained from his various scams and have stated that a further cache of cryptocurrency worth around £1.6m (at the time) remains unaccounted for. These figures also do not include the hundreds of thousands of pounds it has cost Just Eat and others. The judge in this case commented that it should be “a wake-up call to customers, companies and the computer industry to the very real threat of cyber-crime.”
As much as this should be taken as a reminder to ensure that you have secured your data with un-guessable passwords and multi-factor authentication, and that you do not click on a link you do not trust, this availability of data and fallibility in some areas of over-sharing can also be an asset to the counter fraud and asset tracing professions. The very information that might be exploited illegally can also lawfully be used to locate those responsible, often by using similar data tracing and aggregation methods to those used by the major data vendors.
For instance, in one case of tracking information around suspected online fraud, we have seen examples of bragging on social media sites about the success of a scam that could be traced to a specific transaction, account and culprit. Eventually the bragging implicated several connected perpetrators, who were interacting with each other on social media. Collecting volunteered information in the public information domain allowed us to form a picture of the individuals behind these transactions, which can in turn be used to search for and identify additional perpetrators, repurposing the fraudsters’ methods and tools to track them down.
Ultimately, it seems safe to say that the current social consensus is that we are content to give away our data for the services that companies offer in return. The value of that data will, however, continue to give rise to attempts by fraudsters and hackers to misappropriate and resell our data selves. As counter-fraud professionals, we need to be equally conscious of the opportunities data provides for tracing and capturing that behaviour.