Is a dating site a security issue if you haven’t actually signed up?

When adult “dating site” Ashley Madison was breached in 2015 by a group calling themselves “The Impact Team”, it created an embarrassing situation for many users who were suddenly “exposed” to a way they never expected to be. Despite the security breach, the service still had some 52 million members in 2017 – while last year some users were threatened by hackers that their personal information was being shared.

In the case of the infamous extramarital affair facilitator, many of those users probably have good reason to be concerned, even if there’s no good reason any of them joined the site as a result. first place.

But what about those who have been threatened for being a member even though they have not joined this site or other dating sites? In recent years, many people have reported receiving emails from dating sites even after they never signed up. In fact, this reporter can attest that over the past few weeks “matches” have popped up on as well as other dating sites, and when I researched why, the best answer I got received from the site was “perhaps you joined without remembering that you did.

Easy to reach

In most cases, it seems that people remember signing up to a dating site, so could this be a new hack? The most obvious answer would be that these emails from various dating sites are just spam, and it would be easy for the various carriers to suggest that the user forgot.

Another answer is that someone joined on behalf of someone else. This begs the question of whether these sites do enough to confirm who is signing up. Most social media sites require email authentication.

“The problem is what standard of care companies apply to confirm that a new contact is genuinely a potential customer,” said Jim Purtilo, associate professor of computer science at the University of Maryland.

“Most companies have no interest in wasting resources on bogus claims, and also know that their brand loses value by annoying consumers,” Purtilo told ClearanceJobs. “They will use reasonable practices to confirm registrations, such as sending an email with unique keys embedded in a ‘please confirm’ link; a timely click provides reasonable assurance that the interaction with their web form is truly related to a person who controls that email address.

But not always, he warned.

“The ‘multi’ part of multi-factor authentication means that people can register on certain sites using one of several means of identity confirmation,” Purtilo added. “That’s how someone can subscribe as ‘Peter Suciu.’ They can sign up with an email address that reaches the real Suciu – who gets confusing activity notices – but give a fake phone number from a “burner phone” to authenticate. third party can operate as “Suciu” and use the site’s services to pretext other sites, gradually accumulating false credentials By painting enough digital backdrop, a fake character is free to operate in a credibility on social media or even stepping up the game by pretending to make their way to access financial services.

Difficult to follow

In addition to this method described by Purtilo, it is also likely that many users are simply practicing poor cybersecurity. And that can be a bigger problem than suddenly receiving unwanted dating emails.

This issue could also cause users to sign up for sites that are far more nefarious than a dating site or Ashley Madison. Individuals could “join” extremist or marginal groups without their knowledge. And the reason is that most people don’t change their passwords regularly or monitor their accounts closely enough.

“Genuine accounts can be hacked for someone who guesses a weak password; this greatly simplifies identity theft,” Purtilo said. “Email systems play a critical role in confirming credentials on the net – they are part of the chain of trust – but many senders remain woefully outdated by the latest standards, making it easy to spoof messages. Add some traffic analysis, DNS exposed [domain name service] and weak encryption and you have the ingredients for all sorts of cyber mischief.

watch yourself

This is where, in addition to using hard-to-crack passwords and changing them often, individuals may want to participate in an ego surf/vanity search where one follows to see what is being said in line about them. This can ensure that someone doesn’t use your name to make comments you would never make or create a social media presence you don’t want.

Obviously, those with common names can deal with this problem more than perhaps someone with a less common name – but you still can’t monitor accounts that might be mistaken for yours.

“In particular, anyone in a position of trust should be alert to the little signals that ‘all is not well’ – attackers might not just be interested in a one-time exploit of a bank account, they might be interested in long-term access to this official’s store of secrets,” Purtilo added.

Security clearance risk

The question is what should you do if/when you encounter activity that appears to be from you but isn’t, or you suddenly start getting dating emails (or worse) from a site or group.

“Generally, receiving an unwanted solicitation that could be perceived to create blackmail or unwanted or suspicious stranger contact issues does not generally create mandatory reporting requirements, except in limited circumstances,” said attorney Mark Zaid. , whose firm handles security clearance matters. issues.

“Depending on an individual’s clearance level, as well as the subject matter, I could imagine situations where self-reporting would nonetheless be appropriate and the most prudent course of action,” Zaid told ClearanceJobs. “It really is a matter of judgment and should be discussed with the appropriate security officer.”