Check In, Check Out
[This was originally written for and published on OlyTac.com in 2015]
You’ve got the suitcases loaded into the car, you took advantage of early check-in with the airline, the alarm is armed – you even left the TV and a few lights on. The family is excited for a much-needed vacation. You told your neighbor you’ll be out of town for the next week, and they’ve agreed to keep an eye on your house and feed the cat. Fido tears up the house when he’s lonely, so you’re stopping at your in-laws’ place to drop him off on the way to the airport.
As you pull out of the driveway, everyone else in the car is tapping away at the touchscreen on their phones. The kids are tweeting, “Maui until next Sunday! #springbreak #thatbeachlife #sorrynotsorry
” Instagram selfies capture the highlights of the trip, peppered with snaps of the delicious island food. You and your spouse used Facebook, FourSquare, or Yelp to check-in and post glowing reviews of the restaurants your friends just have to try someday.
The week flies by. Everyone got to relax and take their mind off the stresses of everyday life. You all arrive home exhausted, ready to sleep in your own beds and tell your friends about the trip. The house looks just like you left it.. electronics are all present, furniture and decorations haven’t moved at all.. but something isn’t quite right. Soon you notice cash and jewelry are missing from the master bedroom. The bathroom medicine cabinet has been raided for prescriptions. The safe in your closet still has your family’s personal documents locked inside, but some bills and bank statements are missing from the office. Your gun safe is undisturbed, but the pistol you keep in the nightstand is gone.
Your neighbors say they didn’t notice anything unusual, and you didn’t receive any notice from your alarm company.
Breaking Down the Break-in
The career burglar who hit your house has evolved with the times. Let’s call him John; we don’t know his real name because he got away with it like he always does. John is a professional, so he has a good sense of his market cycles. It’s vacation season, and he was watching the top social media sites for posts about families going out of town. Those tweets and Instagram posts were his first taste of blood in the water.
Sure, John had other targets in mind, but your family made it to the top of his list. Once he started digging into past posts and photo uploads, he got a good look at the interior of your home. He knew about many of your possessions, like the fine watch and diamond earrings from your last anniversary. He was also able to make an educated guess about prescriptions based on health-related Facebook posts intended for friends and family. He estimated your wealth by researching the value of your home on Zillow. He even found your posts on a firearm-related forum where you innocently sought advice and uploaded a picture of modifications you made to a rifle you keep in the safe.
How did John figure out the address?
Your kids don’t even use their real names on Twitter and Instagram.
Well, he performed a reverse image search by dragging previously uploaded photos into Google’s Image Search bar. Turns out some of those photos were also posted to Facebook. This gave him real names and a general area to look. It was simple enough for him to figure out your name from there, and he used a people-search website to get an address and phone number history. John is experienced, so he knows this information isn’t always up to date. He plugged your phone number into 411.com to verify. For good measure, he also used a prepaid Visa gift card to purchase a background report on you from one of the many online providers.
Still unsure, he searched online for email addresses attached to your name and connected them to accounts on various websites. Your profile on that firearms forum listed your email address publicly, and he found the photo of your rifle. Since the website didn’t strip the EXIF info (meta-data) when you uploaded the photo, he was able to see the GPS location embedded by your phone or digital camera. Plugging it into Google Maps verified a match with your address. John switched over to Street View and confirmed that the exterior of the house matched small portions he saw in photos of a family BBQ last summer.
Those first tweets told him he had about a week to plan and execute his burglary before you return. For good measure, he consistently monitored all of your family’s accounts to prevent any unfortunate Goldilocks moments.
Oh, and of course John repeated this entire pattern of research on your closest neighbors to understand their habits, lifestyles, and schedules. A few well-timed passes through the neighborhood helped him get a sense of the environment: traffic, noise level, lighting, and general tempo of activity. He was also able to confirm lines of sight determined from Google Maps Street View. The sticker in your window told him who you use for your home security system.
By looking up every phone number he had for your family, John was able to determine your cell, home phone, and internet service providers. From this information, he had a good idea of how your alarm system was set up. He knew if he cut the phone line in addition to approaching the home with a radio frequency jammer, neither you or your alarm company would know until it was too late. Just to be safe, he would call your alarm company ahead of time using a Caller ID spoofing service like SpoofTel
and use all the information he’d gathered to impersonate you and let them know there would be maintenance on the connection (internet or phone) that day.
John visited your home in a rented white work van in broad daylight, while your neighbors were at work or getting started with their day. He was dressed like an independent cable installer. He calmly disabled your alarm and used a cordless electric lockpicking gun to bypass a locked door. Then, in under three minutes, he searched the bathroom medicine cabinets, office, and master bedroom. He was gone before anyone noticed a thing. Everything he took fit in a toolbox.
For what it’s worth, John figured you have good insurance. It helps him sleep at night.
Clearly, I’ve made assumptions for the sake of demonstration, but I hoped to illustrate how adaptable and tech savvy many of these burglars are. Security systems are always a step behind the attackers. That’s why the human element of security is either the strongest or weakest point. We understand anyone with enough dedication will get in, but this story isn’t an exaggeration or special case. It combines elements of sophisticated burglaries I uncovered in my research, and these events are happening all over the world right now.
Where did it all begin? Innocent exposure of behaviors, travel plans, and material possessions on social media sites and other online communities. When you consider how the story could have gone, this one actually turns out well for the family. Insurance will cover the financial loss, and it was not a violent home invasion. I chose to leave the worst case scenario to your imagination because there’s enough here to learn from. If the family in our story had sensitive business or work-related data in the home, they could be targeted for entirely different reasons.
This family would also need to contact the appropriate government and financial institutions to report the theft of those documents from the home office. This will help prevent identity theft, fraudulent wire transfers, or credit fraud.
To prevent this from happening in the first place:
- Be more aware of the information you’re sharing and who has access to it
- Realize that privacy settings often change when social media sites perform updates; consistently check and configure these accordingly
- Understand that photos contain contextual information in the background of the image itself and meta-data of the file
- Call the alarm company before traveling to establish a timeline and protocol for any further contact
- Turn off location features (GPS) on your phones unless needed for navigation; social media apps will ask to turn location sharing on, so pay attention to those popups and decline
- Have us perform an assessment of your security and privacy, which will provide resolutions specific to your needs.
There are many concepts at play here and it can be a lot to digest. I thought the story format would help put everything in context, but please leave us a comment or contact us if you have questions.