The Hidden Security Risks of Social Media

This article was originally published by Pokerfuse. Social media and social networking play an important part of our lives, both personally and in business. Facebook, LinkedIn, and Twitter are names and services that the majority of us use, including those involved in the iGaming and the poker industry. Of course when using these types of sites you have to accept a certain amount of risk as most have had issues related to privacy and in some cases even security breaches.

Issues and vulnerabilities in social networking platforms have been well documented and publicized, but the risks that users of these sites face offline have been largely underreported. While in some instances there is good reason to publically disclose personal information (e.g., marketing) people need to be made aware of the risks involved. This is especially true with professional poker players who are known to have large sums of cash or other valuables.

Individual Mapping

Let’s start with Twitter as it is one of the more interesting sites in my opinion. Geotagging is one of the more popular practices that often leaks user’s information without their knowledge. Wikipedia defines geotagging as:

… the process of adding geographical identification metadata to various media such as a geotagged photograph or video, websites, SMS messages, QR Codes1 or RSS feeds and is a form of geospatial metadata. This data usually consists of latitude and longitude coordinates, though they can also include altitude, bearing, distance, accuracy data, and place names.

There are many devices including digital cameras and mobile phones that perform geotagging. Some have the feature enabled by default and in other cases it has to be enabled by the user. From the brief review I performed it seems like the majority of poker players do not have geotagging enabled on the pictures they upload to Twitter. The most likely reason is that the latest phones have this feature disabled by default. “if somebody was to put together pieces from various sources they can begin to build a profile … it can then be used in social engineering attacks, scams, and potentially even more serious crimes.” However, there are some who either have geotagging enabled on purpose or by mistake.

We will pick on everybody’s favorite poker player tweeter (well at least mine) Jean-Robert Bellande, @BrokeLivingJRB. Jean-Robert likes to use Twitter to promote which celebrities he is hanging out with and where he is currently playing some cards. Now, much of this isn’t sensitive, but there are some cases where information unintentionally leaks out. A number of tools are available that can use this metadata to map out an individual’s location.

Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. In the figure below we use the tool to query based on Jean-Robert’s twitter handle.

As you can see a lot of information is returned. By selecting one of his posts you can visually see where he was. In this case, he was at the PCA in the Bahamas.

This, along with other tweets about playing poker at the Aria, are not that sensitive. However, let’s look at one he tweeted over the holidays while visiting his family.

While Jean-Robert’s life may be public, I’m sure his family’s home location is not. With applications like this it is easy for malicious users to target a person for criminal purposes.

For example, let’s say you tweet a picture of your chip stack from an underground game. If somebody is targeting you they now have the physical location of where you are—and know how much money you have on you.

Jean-Robert is not the only known poker player to have geotagging enabled. Another example is Sam Trickett, @Samtrickett1.

Below is a screenshot from when he posted while playing in a tournament in Italy.

And this data from Creepy can be imported into a mapping tool like Google Earth for further interrogation:

[Jean-Robert Bellande and Sam Trickett were contacted prior to the publication of this article so they were made aware of the issue and could take appropriate steps. At the request of Bellande, we blurred out lat/long locations and the map of his family home, and helped him remove the information from his twitter account.]

Across Social Networks

Another tool that does something similar is called PushPin. But unlike Creepy, which takes a user’s name as input, PushPin takes a location and then queries multiple sites including Twitter, YouTube and Instagram to pull additional information.

The figure below shows a screenshot of the tool while running using GPS coordinates of a location that many of you are probably familiar with.

The tool maps the data into two different tabs in your browser. The first shows the locations on a map and the second shows the media that was accessed.

By hovering over the pushpin on the map you see who was where, and when:

Reading through all of the tweets from Vegas can make for an interesting time. While most of this information seems innocent, if somebody was to put together pieces from various sources they can begin to build a profile of you. This information can then be used in social engineering attacks, scams, and potentially even more serious crimes.

How to Protect Yourself

It is important to be aware of what information you are sharing on social media, and limit posting information that could be used to harm you. Make sure that geotagging is disabled unless you are using it for a business purpose.

On twitter, there is an option in your account settings to remove the location from all previous tweets:

Always remember that whatever you are posting, you consider it public information. A future article will explore how other sites such as Facebook and LinkedIn can be used for data mining purposes, and how that information can be used in other types of social engineering attacks.