If you can take a step back in time 10 or 20 years, you might remember these little round objects thrown at your house periodically. They showed up fairly reliably, roughly each day, and brought with them the tidings and news of the outside world. For you youngn’s out there, we called them “Newspapers“. The feature of showing up everyday automatically is great, until you’re not home. At which point in time it becomes more detrimental to your home, because thieves might drive by, notice the pile… and correctly infer your house is vacant. But is suspending your newspaper any better?
It might seem silly to talk about newspapers in 2024 as readership is down so far that it’s below 1940s levels. Hang with me for just a moment, because it relates to a problem from a decade ago… and today. And that’s “vacation holds”.
The more savvy might call it “OpSec” but it’s a simple concept in that you make sure to take actions that limit the amount of “intelligence” an attacker can gather about you. The average person has been wise to the “OpSec” of their home security, while on vacation, for a long time (even if they don’t use the term). The timed switch, or light timers, are a trick 50+ years old. Similarly, rather than letting newspapers pile up out front, people put in “vacation holds” to stop delivery. Unfortunately, this backfired in that it created a list of everyone on vacation in a geographic region. As this NBC News video from 2013 covers, ne’er-do-well simply acquired the newspaper vacation lists and went shopping.
While most of us don’t need to worry about newspaper delivery any more, we do have a new threat to our home OpSec that often flies under the radar: Subscription delivery services.
This came to mind because of a conversation with my wife regarding our Imperfect Foods subscription. We were going to be out of town and she mentioned that she’d just mark us as “on vacation” in the app, so they don’t deliver. I’d never seen the app, but I assumed it was a simple binary “Deliver / Skip” but that was not the case. There is a dozen dropdown options for WHY you don’t want the delivery, as seen in this help article titled “How do I skip an order“.
Right there, they’ve got an option titled “Won’t be home” and thats where alarm bells went off in my, security minded, head. What’s better than a newspaper list of everyone on vacation in a city? A poorly security database somewhere filled with a list of people on vacation across multiple large metropolitan regions. Or maybe it’s not the database security, but once again the human element. Likely (and this is strictly my assumption) a subscribers skip status is not considered “highly secret” by Imperfect, and therefor accessible by random customer service representatives.
Don’t think Imperfect is alone or even unusual. There are a lot of subscription services in modern society (for better or worse, that’s a different question for a much longer and more philosophical blog) and many of them ask these seemingly innocent questions. They aren’t asking because they want to generate a database ripe for thieves, but because they want data! It’s always about the data! Imagine the analytics they can gather about people and trends? Unfortunately, if you answer honestly, it could come at the cost of your house being burglarized.
So next time you’re going away from home for a while and thinking about the OpSec of your house, remember that you don’t need to share that information with the world. There are a lot of good tips out there for simple home vacation security… but I’ll ask this one directly: Please stop posting about your vacation to public social media. Either go private, or post about it after you come back. Nothing else you do matters if you’re going to shout into the Twitter/Instagram/Whatever-ether “Hey Thieves! I’m 5,000 miles from home!”