As far as the criminal mind goes this level of information is yet another commodity to be traded within the criminal marketplace. After my last post detailing which criminal classes are concerned with which privacy bits people often post on Facebook, I believe that there are so many things wrong with this scenario as far as privacy is concerned, it should be simply assigned the title of Soup Sandwich.
The new service, called Places, allows Facebook users to tap the location-sensing capabilities of their mobile phones to “check in” to a business or address and then instantly share it with their Facebook connections. The optional service will also allow users to find other people who have also recently logged their presence physically nearby.
In this case it may interest domestic criminals rather than offshore cybercriminals, truly crossing from the cyber threat to the physical threat. As former US Attorney Karen Hewitt is quoted – “Everyone on the Internet may not be a bad guy, but all bad guys are on the Internet.”
As far as the Soup Sandwich metaphor:
The term expresses a state of extreme uselessness, which can be understood by considering the functionality and worth of soup between two slices of bread.
My assessment is that this is going to begin to bring violence aspects to a whole new level. Globally. The traditional black market for business account access will probably lead to cybercriminals being ripped off by window shopping gang bangers who simply use the who/what account data to plan their home invasions.
Seven Steps to Home Invasion
One example: a stateside gang decides to start targeting home invasions. Effectively this is a four person operation which just about any sixteen to thirty year old street gang / biker gang member could complete.
- Picking the target. Instead of merely robbing on a consumer level, they first scout their targets through the online compromised list of business bank accounts. The beautiful part of this is that the cybercriminals get ripped off – the street thugs are merely engaging in dialogue and window shopping the available accounts. They don’t pay the market value of 3.5% of a compromised account, they just look at the list of companies who have that amount in their accounts and choose the best target.
- Risk assessment: business network. Let’s face it: just about all of us in the business world have a LinkedIn profile which shows our position in a company. That business networking tool is the most prevalent social network available behind the firewall, and the equivalent of the 1980s Japanese sushi bar – it’s where our real networking is done.
- Choosing the best victim: personal network. With the new Facebook plugin for location based data the thugs can chart the patterns we all have in our lives and figure where best to do the takedown. Next the gang does traditional Facebook exploits or gain access to the comptroller / CFO’s families social network.
- Taking action. Deciding to make their move, the criminals then complete the cyber to physical transition by doing a home invasion, weapons at the ready, and coerce the terrified money manager into simply transferring all of the funds online.
- We already know everything. The criminals know how much money are in these accounts simply through the compromised credential purchase online. Being confronted with a balance sheet number which is known to be true will likely rattle the average accountant into compliance.
- Mop-up / cleaning. The final choice for the street thugs then becomes whether or not to leave witnesses.
- Final Results: Losses hundreds of times higher than the national home invasion robbery has previously been. No clearly defined link to the victims except through the Internet. requires a higher than traditional technical acuity for Law Enforcement but may or may not include homicide level priority.
I don’t know whether this is considered big picture or not, but the only up side may be that when financial crime is committed stateside the funds generally are spent stateside.
The only mitigation I can suggest is to equip decision makers with the knowledge of location based services and ask key staffers not to participate. With half a billion users on Facebook, this is a global crime problem which will gain momentum unless corporate users at risk are educated to not use location based services through their social media.
Related Articles:
- Facebook Friending Gets A Guy Some Jail Time
- How to Lie to Your Bank and Get Away With It
- Please Rob Me: Blippy
- FBI Cyber Division Warns About Social Networking
- New Facebook Privacy Controls Arrive on Wednesday
- European Cybercriminal Gangs Target Middle America SMBs
{ 4 comments… read them below or add one }
Fantastic stuff from you, man. Ive read your stuff before and youre just too awesome. I enjoy what youve got here, like what youre saying as well as the way you say it. You make it entertaining and you nonetheless manage to keep it smart. I cant wait to read much more from you. This is really a great blog.