Tinder hacking: Part 3 – Icing on the case and Conclusion

This is the third part of the Tinder hacking experiment, see part 1, 2 here and here.

One week was the target, here is a summary of other observations and closing.

Key points:

  • Been chatting for a week? Time to make a call, meet them to see if they are real or dump them.

Side note: from a socially accepted point of view, if you have been online continuously for more than a week, the person is probably privy to the idea of meeting up. Give them the number to your burn phone and meet them.

Above and beyond the call of duty

Interestingly enough, there have been instances where people have disclosed way too much information and as a result the interaction came to a premature halt. Really, people, please, don’t do this.
I have seen security badges, graduation certificates with people’s full names, one person actually told me exactly where they worked!

Mixing and matching, a recipe for disaster

There have been instances where people have offered instagram accounts to see more photos of themselves. Now two problems here:

  1. Too much information…have you verified who I am?
  2. Some people’s Instagram account name is infact their full name, you no longer have the protection of anonyminity!

Phone numbers are no better, unless it’s a burn phone that is not tied to anything but Tinder, dating, etc.

The importance of asking questions

If you suspect something is off, ask questions, apply pressure. Better you find out the truth now rather than after you meet. The Enemy will crack and give in, yes, disaster averted.

There have been a few instances where people are shy, don’t be.

Closing

One week was the termination point for each target and most of the exercise was completed in a month.

In summary:

Martin Gladwell suggests that to become a master you must spend 10000 hours on a particular task. After this experience, I’m ready to lay off SocEng for a while and sticking to meeting people one on one in real life.

Here are a few pointers:
*Top tip: if you are concerned about your personal security, get a ‘burn’ phone/email address. Sim cards/phones are cheap and email accounts are even cheaper, give this out to strangers or people you’ve just met for the first time.
*Review the photos before you them online, ask yourself, can they identify me in any way (name, home, work, etc) if they can, choose another photo (also, as Tinder is tied to Facebook, they shouldn’t be on Facebook either).
*Please don’t mix social media sites. If anyone wants to know more about you, let them get your permission first.
*Never ever move off the site where you first met. *Usually* online dating sites are quite good at sanitising your information. By moving communications off the site, you will be disclosing information which may be help the attacker.
*The lots of time spent online without meeting the person face to face is never a good idea (unless if you’re trained for it). Always keep it short and try to meet up as soon as possible. (this way you can use your 6th sense to see if they are the real deal).
*Always be asking questions, be the annoying kid at school. If they are there for an alterior motive, they will get uncomfortable and bail.

Opsec notes:
As time went on, it was difficult for me to juggle multiple conversations and maintain good OpSec.

The cracks are:

  • The target wanted for me to reveal myself. Not a surprise, how long can one sustain this for?
  • The target became suspicious about me or my motives. The fact that I was not requesting anything or pushing for anything raised alarm bells asking, what I’m doing on Tinder in the first place.
  • After revealing all at the end, the respondents felt that they didn’t feel threatened in any way, which was good.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s