When the adult “dating site” Ashley Madison was breached in 2015 by a group that dubbed itself “The Impact Team,” it created an embarrassing situation for many users who were suddenly “exposed” in a way they didn’t expect to be. Despite the security breach, the service reportedly still had some 52 million members as of 2017 – while as recently as last year, some users have been threatened by hackers that their personal information was shared.
In the case of the infamous facilitator of extramarital affairs, many of those users likely have good reason to be concerned even if there is no good reason that any of them should have joined the site in the first place.
But what about those who have been threatened for being members even if they didn’t join that or other dating sites? In recent years, many people have reported receiving emails from the dating sites even after never signing up. In fact, this reporter can attest that in recent weeks “Matches” have shown up from Match.com as well as from other dating sites, and when I investigated why, the best answer I received from the site was “perhaps you joined without remembering that you did so.”
Easy to Join
In most cases, it seems people would remember signing up for a dating site, so is it possible this is a new hack? The most obvious answer would be that those emails from various dating sites are just spam, and it would be easy for the various operators to suggest the user forgot.
Another answer is that someone joined in someone else’s name. That begs the question as to whether enough is being done by those sites to actually confirm who is signing up. Most social media sites require authentication via email.
“At issue is what standard of care companies exercise to confirm that a new contact is genuinely a prospective customer,” explained Jim Purtilo, associate professor of computer science at the University of Maryland.
“Most firms have no interest in wasting resources on spoofed requests, and also know their brand loses value by annoying consumers,” Purtilo told ClearanceJobs. “They’ll use reasonable practices to confirm sign ups, for example send an email with unique keys baked into a ‘please confirm’ link; a timely click offers reasonable assurance the interaction with their web form really is connected to a person in control of that email address.”
But not always, he warned.
“The ‘multi’ part of multifactor authentication means people can register at some sites using one of several means of confirming identity,” added Purtilo. “That’s how someone can subscribe as ‘Peter Suciu.’ They can sign up with an email address which reaches the genuine Suciu – who gets confusing notices of activity – but give a bogus phone number from a ‘burner phone’ to authenticate. Now the third party can operate as ‘Suciu’ and use the site’s services to pretext other sites, progressively building up fake credentials. By painting enough digital backdrop, a faked persona is free to credibly operate on social media or even escalate the game by pretexting their way in to access financial services.”
Hard to Track
In addition to that method outlined by Purtilo, there is also the likelihood that many users simply practice bad cybersecurity. And that can be a far bigger issue than suddenly receiving unwanted dating emails.
This problem could also result in users being signed up for far more nefarious sites than a dating site or Ashley Madison. Individuals could “join” extremist or fringe groups without their knowledge. And the reason is because most people don’t regularly change passwords or monitor their accounts closely enough.
“Genuine accounts can be compromised cracked for someone guessing a weak password; this greatly simplifies the theft of identity,” said Purtilo. “Mail systems play a critical role in confirming identity credentials on the net – they are part of the chain of trust – yet many mailers remain woefully out of date with respect to latest standards, making it pretty easy to spoof messages. Add in a bit of traffic analysis, exposed DNS [domain name service] and weak encryption and you have the makings for all manner of cyber mischief.”
Monitor Yourself
Here is where in addition to using hard to crack passwords, and changing those often, individuals may want to partake in some ego surfing/vanity search where one tracks to see what is being said online about them. It can make sure someone isn’t using your name to make comments that you’d never make, or builds up a social media presence that you wouldn’t want.
Obviously, those with common names may deal with this issue more than perhaps someone with a less common name – but you can’t still monitor for accounts that could be mistaken as yours.
“In particular, anyone who functions in a position of trust needs to be alert to small cues that signal ‘all is not right’ – aggressors might not just be interested in a one-time exploit of some bank account, they might be interested in long-term access to that official’s store of secrets,” added Purtilo.
Security Clearance Risk
The question is what you should do if/when you come across activity that appears to be from you but isn’t, or you suddenly start receiving dating (or worse) emails from a site or group.
“As a general matter, receiving an unwanted solicitation that could be perceived as creating blackmail concerns or unwanted or suspicious foreign contacts does not create mandatory reporting requirements, except in limited circumstances,” said attorney Mark Zaid, whose firm handles cases related to security clearance matters.
“Depending on an individual’s level of clearance, as well as the involved subject matter, I could envision situations where self-reporting would nonetheless be appropriate and the more prudent course of action,” Zaid told ClearanceJobs. “This is really a judgment call and should be discussed with the appropriate security officer.”