I Hired Someone to Spy On Me. Here's What They Found
But you don't need to be a government spy to dig up personal details on the average American. Identity thieves can use publicly available services like Google and Facebook -- as well as a few lesser-known tools -- to gather personal information on their intended victims.
I wanted to know just how much information about me is floating around out there. So I hired someone to invade my personal life.
Companies or institutions that want to test their network security often hire security firms to try and hack into their system. These "penetration tests" are intended to gauge how their security would hold up against a real attack.
I asked Deena Coffman of Identity Theft 911 to carry out a penetration test on a much smaller scale: I wanted to see how much personal information she could dig up on me, a process known as "doxxing."
We agreed that she wouldn't attempt to break into any of my accounts, restricting the search to publicly (and legally) available information. We also decided that she would only spend two hours digging -- Coffman explained that since I'm neither rich nor famous, a real identity thief was unlikely to dedicate much more than a couple hours to me before moving on to easier and more lucrative targets.
Here's what she was able to turn up in two hours:
My phone number and past addresses. Like many writers, I've got a personal website, and all websites have to be registered with your name and contact info. Unless you pay extra to hide that information, it will be publicly available through a WHOIS search; Coffman was able to find my cell phone number, personal email address and an old mailing address (which I'd forgotten to keep current).
In an attempt to find my actual address, she used an information aggregator called PeekYou.com. While she didn't find my current address -- I just moved a couple months ago -- she was able to find a surprisingly comprehensive history of past addresses.
Family information. That history of past addresses also allowed her to link me to other residents of those addresses with the same last name, thus allowing her to identify some members of my family. She was also able to nail my date of birth by paying a fee to Intelius, another information aggregator.
Names of friends. I'm careful not to accept Facebook friend requests from people I don't know, and I've also set most of my privacy settings so that friends of friends can't see my data.
Unfortunately, I never changed the default setting that allows the public to see my friend list.
"Facebook lists friends by activity rather than alphabetical order, making it easy to look for posts between the target individual and Facebook friends that may have information exposed," she says. While she wasn't able to find any such posts, the list did give her a sense of who my closest friends were.
She was also able to find an old online dating profile by taking images from social media and running a reverse-image search on Google.
While the dossier they were able to amass on me was scary, it could have been worse. Identity Theft 911's Brian McGinley notes that they made a point of using only legal avenues in their search, a courtesy I wouldn't be shown by a real identity thief.
"The holy trinity is your full name, your date of birth and your Social Security number; the only thing missing here is your Social," he says. "And for thirty-five bucks, I would probably be able to get that from a public data source."
Even without my Social Security number, there are plenty of scams he could run with this data.
One hypothetical scam would be to call me on my cell phone (they've got my number!) and pose as a bank representative who needed to establish some account details. To establish trust, he'd start by reciting some information he already knows, like my date of birth and my mailing address. He'd then read off an incorrect social security number and hope that I'd correct him with the real thing.
That list of my close friends and family could also be used for financial gain. He could, for instance, pose as one of my friends and send me a message claiming that he needed an emergency wire transfer.
Finally, this data could be used to break into my online banking accounts. As we've previously reported, many of these accounts still use "security questions" instead of two-factor authentication to confirm the identity of the user. Many commonly-used security questions (mother's maiden name and high school mascot, to name a couple) could be located using these methods.
What I'll Do Now
Needless to say, I'll be making a few changes after seeing how much information is out there -- hiding the registry information from my portfolio site and reviewing my Facebook settings, for starters. But with so many information aggregators out there, it's unlikely I'd be able to scrub the Internet of all sensitive information.
Going forward, I'll be operating under the assumption that someone already has all of this information. That means discontinuing the use of any security question that could be answered with a bit of research. It also means being extra cautious of any email or phone call seeking sensitive information. And I'll probably sign up for a credit monitoring service, just in case someone manages to scam their way into opening a credit card in my name.
Let's face it--when you see the details of your life compiled in a handy report, it tends to make you a little paranoid.
Matt Brownell is the consumer and retail reporter for DailyFinance. You can reach him at Matt.Brownell@teamaol.com, and follow him on Twitter at @Brownellorama.