Back to news

There’s no morning-after pill for using dating sites without encryption

March 20, 2018    |    Cyber Security    |    Lauren Elkins

Swipe right if you’re attracted to cyber threats! In today’s day and age, online dating is the most common way for people to connect with potential love interests — it’s quick and convenient and allows you to easily filter down to who you are most compatible with. But despite how common online dating it is, it is still challenging to find safe dating sites.

Tinder and Grindr

Take Tinder for instance — it touts itself as “the world’s most popular app for meeting people,” so you would probably expect it to encrypt its data. I mean, as you use the app, you’re rejecting people over and over again — and sometimes accepting. That’s sensitive stuff. But what if the stranger sitting at the coffee table on your right is watching your mobile-app dating escapades? All they need to accomplish that is to be on the same public Wifi as you.

Researchers at the security firm CHECKMARX publicized how your Tinder actions can be hacked. “The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or another type of malicious content.” This means a user on the same WiFi network as any Tinder user (iOS or Android) can potentially see every photo the user sees. They can even inject their own images into the Tinderer’s photo stream.

The media company THE HUSTLE did some digging on other dating apps and found problems with another popular player: Grindr. In addition to issues with unencrypted photos, this one also has metaphorical leaks all up and down the plumbing system — in that it allows third parties to “track the app users’ location down to the foot, even if they opt out of location sharing in the user settings.” This is not okay! You may not be giving up credit card information or handing over your social security number, but the company that runs the globally popular app should be accountable for basic privacy practices. These security vulnerabilities are bigger than just a passing annoyance. The CHECKMARX researchers “suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.”

Ashley Madison Data Breach

Speaking of blackmail, do you remember Ashley Madison, the online cheating service with the charming motto, “Life is Short, Have an Affair”? The Ashley Madison data breach was a fiasco: when attackers gained access to the dating site, the users’ passwords, names, credit card data, physical addresses, and even their most secret sexual preferences were released to the world in the form of an easily searchable list. All you had to do was plug in a name or an email, and all that information was right at your fingertips.

Blackmailers took advantage of this in a big way. They started sending out mass blackmail emails, demanding large amounts of money and threatening to notify the members' family and friends about their extramarital affairs. Then the blackmailers took things a step further — and started mailing letters to the physical homes of hacked Ashley Madison users. The blackmailers may have just been bluffing, hedging their bets they would get a payday out of it, but there were a lot of people who couldn’t risk NOT paying out.

Take US military members for instance. Adultery violates UCMJ (Uniform Code of Military Justice) and is a prosecutable offense that could land service members in confinement (military jail) for a year, dishonorable discharge, and forfeiture of all pay and benefits. There were a lot of military members enrolled during the Ashley Madison data breach, and if any of them were blackmailed, they probably paid out to protect their careers and avoid jail time.

It’s easy to pass judgement on situations like this, but remember things aren’t always as simple as they seem. Consider all the people using Ashley Madison for homosexual affairs. The website had users all around the world, and there are more than 50 countries where homosexuality is illegal. In several of those countries, the punishment for homosexuality is death. For homosexual Ashley Madison users in those countries, being exposed wasn’t just a matter of losing their families or reputations — it was literally a matter of life or death.

There are so many reasons why safe dating sites are essential to online dating safety — and the reasons go far beyond just covering up nasty affairs. Breaches in dating websites and apps could open users up to being stalked, blackmailed, and victimized by predators. If you are using the internet to find your perfect match, you need to make sure you are using safe dating sites. But you should never just depend on the website to keep you safe — as we learned from Ashley Madison, things can change in an instant. You need to make sure you are practicing online dating safety and protecting your data.

Steps to Online Dating Safety

This might seem like common sense, but you really need to choose a secure password for dating sites. “12345” or “password” will no longer cut it — you need a mix of uppercase and lowercase letters, numbers, and special characters. And passwords really should be longer than the usual 8 character minimum: 15+ character passwords are much more secure. If you use multiple dating sites, make sure you are using different passwords across all of them. Remember: if someone cracks the password to one of your accounts, they are going to try that password on your other accounts. Having the same password for all your accounts is a lot like using the same physical key to unlock everything: your car, your house, your office, your gym locker. It might seem convenient — until someone else gets their hands on that key.

Oversharing online is a huge problem these days — and it can be devastating when it comes to online dating. When you meet people online, you don’t actually know if they are who they say they are. They could just be the mild-mannered school teacher they claim to be...or they could be a stalker who will try to steal your dirty gym socks. Until you know for sure, be extremely careful with the kind of information you share. Don’t tell strangers on the internet where you live, or that your roommate isn’t around much. Don’t tell them where you work, or when your shift begins or ends. A malicious person can’t get to you if they don’t know how — plus, if your data gets leaked there won’t be as much personal information floating around. Win/win!

Also, make sure you're using an encrypted website. Almost a year ago, we hit the landmark of ENCRYPTING HALF OF THE INTERNET. More likely than not, the pages you visit are coming to you via HTTPS rather than HTTP. This matters, and it’s not just for situations where snoopers can watch you swipe around Tinder. HTTPS also helps block, to an extent, internet service providers and the government from seeing what you’re reading and posting on the web. Whenever you sign up for a dating website, make sure it is a secure and encrypted website that says HTTPS and has the lock symbol.

And finally, be sure to use a reputable VPN, like Private Tunnel, whenever you use public WiFi. VPNs encrypt any data that you transmit and mask your IP address, so creepers spying on peoples’ dating lives won’t be able to spy on yours.

Better Safe Than Sorry