Innocently providing your name at your local coffee shop is just an example of how easy it can be for miscreants to cut through the ‘privacy’ of social media accounts
When Starbucks introduced personalising the coffee shop experience by writing their customer’s names on their coffee cups people felt violated. Why on earth would a coffee chain want to know your name?
Once coffee drinkers came round to the idea that the baristas were demanding their names, then began a wave of uproar across social media for those with names spelt incorrectly. Admittedly, it would increase the queue length if each time you were asked how to spell your name  – “is that with or without an E”. There is a theory that this misspelling is actually on purpose so people will turn to social media with a photo of their branded coffee cup to complain about their barista not knowing how to spell “Bob” or whatever ‘straightforward’ name they possess.
Anyway, once you have given your name to the barista (and any prying ears in the queue), you are giving away something very personal to unknown entities. It might not feel that significant at the time as you wait for your skinny-single-shot-sugar-free-vanilla-latte but giving away anything personally identifiable could ultimately be used against you.
Starbucks don’t ask for ID so should we think of a pseudonym or a code word instead? Here is a real-life example why you should at least think about making up a new name…
Recently, whilst on the train to London, I was sat behind a man accompanied by a laptop and a personalised coffee cup. He opened his laptop and signed in (it was not full disk encrypted I hasten to add, tut tut) and I could see a company logo physically on the laptop and as the desktop background: I couldn’t read every word but I knew the company well enough to recognise it. Now, added to the fact I knew his first name, I could start my open source research on him.
Within moments of searching his company on Google, I found his full name on the firm’s ‘About’ page, complete with head shot and bio. Next, I turned to LinkedIn (using my limited second profile to reduce personal tracks which would tell him I’ve been snooping on his page and to help me bypass the first or second contact information checkpoint) and located his career history. LinkedIn also offered me his personal email, twitter handle and hobbies from his bio once I had connected with him on the site.
Switching to Twitter, I located his contacts, family connections and even children’s names. His wife’s Facebook was open and included lots of photos of their two pets. She seemed very proud of their wedding photos and dates (albeit I didn’t have the year just day and month).
Moving to Strava, a fitness activity sharing app, I was able to put in his name and locate his profile showing me his recent run and cycle routes. The thing about Strava, and other fitness logging apps, is that they show anyone recent routes so when most people start and finish their training at either their home or work address, it tells the world where they live and work!
With his daughter’s name, I moved to Instagram. Although her account was private, it took less than half an hour to befriend her from my fake account (you would be surprised how few background checks teenagers do on accounts wanting to follow them). Wading through the endless selfies and food photos, I was able to find a happy birthday photo to her Dad plus a rather significant happy anniversary message to her folks, which now gave me the year of his wedding too.
To top it off, while I was watching him work, he was noticeably having fingerprint issues with his phone so after each unsuccessful attempt to unlock his screen, he would then revert to typing in a 6-digit code which I could view. This was his first daughter’s date of birth: That would have been my second guess after his wedding anniversary.
At this point, many people are possibly thinking “who cares?” or “what can a hacker really do with my information?” This attitude is what’s getting many people into trouble with their cybersecurity. Whilst banks are reducing how often they refund such instances, the problem will only increase. Hackers can and will make your life a misery using targeted attacks.
Even if you are sitting there thinking that your security is foolproof, what information is given away via your family and how good is their security? If your partner’s email got hacked and you received an email from him or her asking a relatively normal question like “what’s our banking password again, darling?” Would you be tempted to respond or would flashing lights and alarm bells go off?
So how do we overcome this issue? And how long before the banks don’t even chase any of the money that has been unfortunately swindled?
Awareness training has limitations and e-learning rarely benefits a company , so the answer lies fundamentally in shifting culture. Making people aware is one thing but making them better is another. For example, we all know not to reuse passwords , but so many people still take that risk every single day.
People don’t change very easily and when people don’t care about the issue, it makes it harder to persuade them not to fall into potential pitfalls. If I spin the argument around I think the answer could in fact lie with the cybersecurity industry itself: companies who make it compulsory to use a unique password and authenticator app to sign in, would soon give their data and networks a stronger defence.
Inevitably, there will be an immediate outcry from and torrent of angry tweets by inconvenienced customers.  However, if people don’t change by choice, making security mandatory will soon make companies and their customers much safer, without having to worry about splashing our data on our personalised coffee cups.
Don’t you give your precious, private name away to millions of unknown entities with social media? 🤔
I read this a couple weeks ago, and started looking for it with a few Internet searches on Google to find it again in order to share it, problem is, it took me half a dozen searches to find an article that is (i feel) quite important for people to read. It took putting in
– don’t put your name on your starbucks cup – don’t put your name on your startbucks cup security – don’t put your name on your starbucks cup security exploit – don’t put your name on your starbucks cup security exploit linkedin
before the following finally worked:
– don’t put your name on your starbucks cup security exploit linkedin train
please tag the article better for search returns…
It’s normally easier than that. If they are sat next to you on a train ad is typical i The SE of England for commuting, you can get their name and company straight of their email signature from their laptops screens.
The other ‘interesting’ for commuters for Facebook in particular is there friends recommendations based upon location services proximity and duration. I started to get friends recommendations that I didn’t know, yet looked familiar. I soo. Realised they where people getting the same coach of the same commuter each day .. I soon knew quite a bit about my fellow commuters using similar techniques to the above
As for the article the coffee cup angle is a bit of a conceit or tool to hook people into reading the article. Though perhaps slightly dramatic, it does highlight with a bit of time or effort what can be achieved.
I think that it is creepy to hear how easy it was for this guy to see all of this random guy’s stuff and his families too.
This is creepy to hear how easy it was to access all of his accounts and his families accounts.
HI AIDEN I KNOW UR WATCHING
I LOVE TIDDIES
honesty no one gives a fuck
The article’s main point is that the name on the coffee cup was just the start. It’s the piecing together of apparently unimportant individual pieces of information that allows connections to be made and a picture to be built up – it’s what any journalist, police investigator or cyber-criminal needs to do. Of course, the writer could just have sat down in the next seat, made some small talk, introduced himself (with a false name) and no doubt acquired the target’s name and a great deal more in response. You don’t even need to talk, though; you can learn a lot just by studying people – in the words of Sherlock Holmes, “You know my methods, Watson; apply them.”
In this case, the big mistake was surely not the coffee cup but using the laptop in full view of anyone and everyone who walks past. What’s the point of having passwords on your computer or phone if you let people see your screen? I’m amazed how much personal stuff I can read – it’s thrust in my face, in fact – on crowded commuter trains. That’s not even including the loudmouths who tell the whole carriage their business while they’re on the phone – on one occasion about 30 fellow passengers got to hear an HR person conducting a job interview on the train; on another, sensitive financial information concerning two identified companies was leaked all around the 09.40 from Victoria to Brighton. Yet these same people probably keep the same information in locked drawers in files marked ‘Confidential’!
Maybe it’s time to revive some of those wartime posters – Careless talk costs lives, Loose lips might sink ships, Keep it under your hat…
The amount of confidential stuff you can see on people’s laptops on trains is truly frightening. I once sat next to a bloke from the Swiss Embassy into London. I could tell that was where he was from as the report he had opened was marked “internal, Swiss Embassy”. Trains are not for working on!
The flaw in your article is that you act like the act of him giving his name to Starbucks is what enabled you find all this information about him. His flaw was you being able to see his company name on his computer. Once you looked up the company you would have identified him with or without knowing his first name since there was a head shot on the page. All the information you found subsequent to that was a result of finding his full name on his company web site. Should we then use pseudonyms in our profession careers as well?
Barring a person have a very rare first name, there isn’t any harm in giving your real first name at Starbucks. If it’s that big of a deal, make your own damn coffee at home.
I agree with you. To go a step further, you could simply look up any person who works at any company and go down that same rabbit hole. One gains very little by getting his name off of a Starbucks cup. As an example, go look up someone’s name listed on the director or leadership page of any medium-sized company.
us cvv shop best shop cc