The Null Device

Business intelligence for burglars

Please Rob Me is a web site which aggregates Foursquare location data shared by Twitter users and presents it as "new opportunities" and announcements of users having "left home", to demonstrate the risks of sharing location data with strangers.

While Please Rob Me is a proof of concept, and not particularly useful to burglars (you'd have to map Twitter IDs to names and addresses, and also work out whether there was anybody else living at the premises), there is speculation that social web sites offer a wealth of information to burglars, from users' locations to party photos set inside homes and showing off stealable goods. Of course, these days, the dominant web site is Facebook, which, by default, hides users' posts from people outside of their friend list; however, a significant proportion of Facebook users will gladly friend people they don't actually know, undermining this common-sense measure. (Intuitively, the risk of being burgled or spammed must seem insubstantial to them next to the promise of meeting hot chicks or getting invited to cool parties.) An even larger proportion use Windows PCs which are susceptible to viruses. There is already malware which spams Facebook with phishing links; malware which harvests useful information about all of a user's contacts (real names/identifying details, addresses, links to other social sites, &c.) and uploads them to a criminal-owned server could be just as plausible.

Of course, this makes little economic sense if one imagines one team of burglars going to all this effort to identify easily reachable places likely to house unattended PlayStations or plasma screens. However, if one follows the advice of Adam Smith and introduces division of labour (a practice seen in other criminal enterprises, such as phishing gangs and Nigerian 419 scam operations), it becomes more plausible.

Imagine, if you will, a criminal business intelligence service, much like the ones serving marketers, only specialising in selling leads on potential targets to burglars. This business would have a server somewhere with lax law enforcement, algorithms for harvesting and unifying information from a range of sources (possibly supplemented by human intelligence) and a site for offering bundles of this information to prospective burglars, searchable by geographic location, likely richness of pickings (determinable from the target's employment information, credit ratings and such) and likelihood of them being out of town. The algorithms would pick through a number of public sites, such as Twitter, Foursquare and others (photo sharing sites could be useful; if someone's address is in New York and they just uploaded a fresh photo geotagged in Gran Canaria, they're probably not home), and use them to pick out the likelihood of a target matching various criteria. (The algorithms could be fairly advanced, but as we have seen from the botnet arms race, there's no shortage of ingeniously talented coders of, shall we say, above-average moral flexibility.)

Of course, the real rich pickings are in walled gardens such as Facebook, where people have a sense of security and post their real names, locations and photos; while this is not public, a criminal site could harvest it by using malware (in which case, it'd get not just the details of the owner of the infected PC, but of all their friends), rogue viral Facebook apps or by hiring humans to set up profiles and, using a specially modified browser, friend random strangers ("MAKE MONEY AT HOME SURFING THE WEB!", the recruitment ads could read). The data would go into the criminals' data centre and would come out the other end as searchable packages offered for sale ("Your search of current vacationers making $50k+ near ___ has yielded 37 results, for $100 each. How many would you like to buy?")

Given precedents both in computer crime (credit-card fraud is a big one, having both black-market web sites and highly specialised economies with divisions of labour) and social software, I would be surprised if nobody tries setting something like this up.

There are 1 comments on "Business intelligence for burglars":

Posted by: Bowie Mon Mar 1 03:34:41 2010

I've always been careful with this, being very careful not to post about holidays until I've come back. But even not posting, when you regularly do post, is an indicator you might be away.

On a similar note, I've always thought the new Victorian "Smart Meters" for electricity could be used to indicate someone isn't home if they could be hacked into. Monitor for a sustained sudden reduction in electricity use.