Research and reporting on this article were conducted by Labs writers Chris Boyd and David Ruiz.
Dating apps have been mainstream for a long time now, with nearly every possible dating scene covered—casual, long-term, gay, poly, of the Jewish faith, interested only in farmers—whatever you’re looking for. Sadly, wherever you find people trying to go about their business, you’ll also find others quite happy to intrude and cause problems.
Multiple pieces of research regularly highlight potential privacy flaws or security issues with dating apps galore. All this before we even get to the human aspect of the problem—no wonder online dating is exhausting.
Breaking into online dating circles
Dating apps are an unfortunate juicy target for cybercriminals, who will use any vulnerability—from software to psychological—to achieve their goal. Because it’s important to remember: Dating apps store more than just basic personally identifiable information (PII). They include sensitive data and images people might not be comfortable sharing elsewhere, which gives cybercriminals added leverage for blackmail, sextortion, and other forms of online abuse.
To start, the dating apps and sites themselves may not be safe from prying hackers looking to slurp user details. There’s the infamous 2015 compromise of cheating site Ashley Madison, or last year’s badly-timed announcement from dating app Coffee Meets Bagel, who informed users about a data compromise on Valentine’s Day.
How about location-based dating apps, like Tinder? In 2019, location-based dating app Jack’d allowed users to upload private photos and videos, but didn’t secure them on the backend, leaving users’ private images exposed to the public Internet. Now combine that with the ability to pinpoint a user’s exact location or track them on social media, and the end result is rather frightening.
Finally, online dating can wreak havoc in the workplace, too. If your organization supports a bring your own device (BYOD) policy, security vulnerabilities in dating apps could cause additional risk to your own reputation, as well as the company’s networks and infrastructure. (Though to be fair, you could argue “additional risk” is part and parcel of any BYOD policy.) A 2017 study by Kaspersky found that mobile dating apps were susceptible to man-in-the-middle attacks, putting any data or communications with the enterprise conducted via mobile device in danger.
Hints and tips for safe online dating
There are too many dating apps and websites out there to be able to give granular advice on privacy settings and security precautions for each and every one. However, a lot of security advice in this area is about common sense precaution, just as you would while dating in the real world. Many of these tips have been around forever; some require a little cybersecurity education, and a few rely on newer forms of technology to ensure things go smoothly.
Time to go hunting
Deploy some Google-Fu: One of the very first things you should do is a search related to your prospective date. There may well be multiple alarm bell–ringing search results for a troublesome dating site member all under the same username, for example. Or you could stumble upon multiple profiles begging for money on different sites, all using the same profile pic as your supposed date.
Checking photos and profile pics is a good idea in general. Use Google image search, Tineye, and other similar services to see if it’s been swiped from Shutterstock or elsewhere. It’s possible lazy scammers may start using deepfake images, which will be even harder to figure out, unless you read our blog and see some of the ways you can spot a fake.
Stay in on your night out
Don’t go outside the theoretical safety boundary of the app you’re using. This is one of the most common scam signs for any form of online shenanigans. Mysterious free video game platform gifts sent in your general direction? Surprise! You must receive the gift via dubious email link instead of the gaming platform you happen to be using. Making a purchase from a website you just discovered? Suddenly, you need to make a wire transfer instead of paying online—and so on.
Many dating apps restrict how much profile information you can reveal—that’s a good thing. However, that layer of privacy protection won’t work as well as it should if you’re convinced by a scammer to pass along lots of PII through other means. If the person on the other end of the communique is particularly insistent on this, that’s a definite red flag—for malware and for dating.
Hooking up with social media
A well-worn point, but it bears repeating: Sharing dating profiles with social media platforms may well open your data up to further scrutiny, thievery, and general tomfoolery. Your dating profile may be nicely locked down, but that approach again loses value if tied to public profiles containing a plethora of information on you, your friends, and your family. This just isn’t a risk worth taking.
Sharing is not always caring
Keeping your own dating data disconnected from social media platforms is just one step in protecting your sensitive information. Another step is awareness. When using dating apps, you should spend some time looking at their privacy policies and settings, as well as looking up news stories on them online, so that you know where your data is going, who is sending it around, and why.
For example, last month, the Norwegian Consumer Council revealed how the Android apps for Grindr, Tinder, and OkCupid sent sensitive personal information—including sexual preferences and GPS locations—to advertising companies, potentially breaching user trust.
The nonprofit’s report shone light on the digital advertising industry’s efforts to collect user information and channel it through a complex machine to find out who users are, where they live, what they like, who they support in elections, and even who they love. By analyzing 10 popular apps, the report’s researchers found at least 135 third parties that received user information.
Users’ GPS coordinates were shared with third parties by the dating apps Grindr and OkCupid. GPS “position” data was shared with third parties by the dating app Tinder, which also shared users’ expressed interest in gender. OkCupid also sent user information about “sexuality, drug use, political views, and much more,” the report said.
As to who received the information? The answers are less familiar. While Google and Facebook showed up in the report—both receiving Advertiser IDs—the majority of user data recipients were lesser-known companies, including AppLovin, AdColony, BuckSense, MoPub, and Braze.
There’s no cure-all to this type of data sharing, but you should know that privacy advocates in California are on it, having already asked the state’s Attorney General to investigate whether the data-sharing practices violate the California Consumer Privacy Act, which just came into effect at the start of this year.
General OPSEC tips
Operational security, or OPSEC for short, is pretty important as far as online dating is concerned. Some of the basic cybersecurity hygiene steps that we encourage our users to perform in their day-to-day business can help thwart unwanted digital access or steer you clear of physically dangerous situations. Here are a few examples:
Passwords, passwords, passwords
We all know password reuse is bad—across dating sites, apps, or any accounts—but depending on personal circumstances, it may also be bad to recycle usernames. If you don’t want people you’d rather avoid in the future tracking you down on social media, remember to use random names unrelated to your more general online activities.
While we’re on the subject, there are several other best practices for password security that we recommend, such as creating long passphrases that are unrelated to your name, birthday, or pets. If you can’t remember 85,000 different passwords, consider storing them in a password manager and using a single master password to control them all. If that seems like putting too much power in the hands of one password, we recommend using two- or multi-factor authentication.
The point is: Don’t reuse passwords on dating sites. There may be a plethora of intimate messages sent on these platforms, more so than on most other services you use. It makes sense to lock things down as much as possible.
Stranger danger
Meeting a date in person for the first time? Tell other people where you’re going on your date beforehand. It’s a basic, but invaluable safety step—especially if you have no way of vetting your date outside of the dating app constraints. Let your insider know the name/profile name/and anything else relevant to your date that might help them track you later, if necessary.
Also, try to obscure your literal latitude and longitude or home address from a virtual stranger before you get to know and trust them. Dating apps have taken those spammy “hot singles in your area” ads to their logical end point. Hot singles in your area really would be beneficial where dating is concerned, so why shouldn’t apps allow you to search on factors related to distance? However, on the flip side, this does rather tip your hand where revealing your general location is concerned.
So while your date will have some sort of idea as to where you’re based, you’ll want to have your first meeting(s) somewhere other than “the bar at the end of my street.” A little travel goes a long way to blocking some crucial details. Oh, and consider using public transport or your own vehicle to get to and from the date.
Ring, ring
If possible, don’t hand over your main phone number—especially when such a thing may be tied to SMS 2FA, which can lead to social engineering attacks on your mobile provider. If your mobile is your only phone, consider using a disposable phone specifically for dating that isn’t tied to anything important.
If that’s out of the question, you could try one of the many popular online services which provide their own number/voicemail.
Play it safe
After reading all of this, you may think that between potential security vulnerabilities, privacy exposures, and contending with awful scammers that it’s not worth the hassle to bother with online dating. That’s not our intention.
As long as you follow some of the advice listed above and keep in mind that dating apps can be compromised just like any other software, you should have a safe online dating experience. Just remember that anything you communicate online has the potential to drift offline—after all, that’s the whole goal of online dating in the first place.
Good luck, and stay safe out there!
The post Cyber tips for safe online dating: How to avoid privacy gaffs, exploits, and scams appeared first on Malwarebytes Labs.