Ghosts in Google Maps a risk to banks and national security, 'internet police' claim
Published Wednesday, April 25, 2018 7:33AM EDT
Sydney Eatz poses with a camera-equipped helmet in front of a Richmond Hill, Ont. Scotiabank branch. (Sydney Eatz)
On Google Maps, Inna Bogdanov is standing in front of a plaza in Richmond Hill, Ont., a few steps away from a Scotiabank branch. Click on the pin marking her apparent position, and you get a website that belongs to the bank.
“Hello, Inna speaking,” said a woman who answered a call to the listed phone number and confirmed her identity to CTVNews.ca. “I’m a mortgage broker. I used to be a mortgage specialist with Scotiabank.”
According to Richard Trus and Sydney Eatz, “internet police” who investigate questionable content on Google Maps, Bogdanov is “ghosting.” It’s essentially gaming Google Maps to deceive users who rely on the widely-used platform to find the businesses they are looking for.
Google Maps collects data about all manner of places people go, asking users to participate in voluntary questionnaires to learn about things like parking, wheelchair accessibility, ambiance, and hours. Contributors get points when they add reliable photos, reviews and other information.
Trus explains these points are like a currency denoting the level of trust users have with Google. The more trust they accrue, the more they can add and edit on the map.
“Ghosters” build trust and add pins near legitimate businesses that appear similar to the actual business listing, hoping that misdirected consumers will contact them thinking they are speaking to their bank, for example.
“The ‘ghost’ could be an employee of the business, business competitors, hackers and paid consultants onshore and abroad,” Trus told CTVNews.ca in an interview.
Bogdanov’s seemingly random pin near the Scotiabank branch raised alarm bells for Trus and Eatz.
“If you aren’t paying attention and you searched for Scotiabank, and then you click call, it will call her phone,’” Eatz said.
According to Trus, Bogdanov pretended to be a Scotiabank employee on four separate occasions beginning two months ago.
In a second phone conversation with CTVNews.ca, Bogdanov denied placing the pin listing her phone number, or having any knowledge of its existence.
The difference between actual business information and deceptive map points can be hard to spot if you are using a smartphone, or not fully zoomed in. Trus is convinced many users won’t notice these pins before placing a call, and potentially disclosing personal information to an unknown third party.
“It used to be people would call you with scams. Now you are actually calling them thinking you are calling your bank,” he said.
Scotiabank spokesperson Rick Roth said client security is a top priority.
“We encourage our customers if they have or experience any suspicious activity to contact the bank (and) if there is anything nefarious about their suspicions to obviously escalate that to the proper authorities,” Roth said. “We would obviously work with any third party hosts to ensure that our customers wouldn't be deceived.”
Over the past two years, Trus and Eatz estimate they added a combined 11,000 businesses to Google Maps, becoming level 10 guides in the process. It's a top rank they say just 200 out of 50 million users achieved.
“If you have enough trust, you can do things on Google Maps that are evil,” Trus said.
For example, they claim they could add their personal cellphone numbers to the Google Maps listing for Prime Minister Justin Trudeau’s office.
“That’s where it becomes a national security issue,” Trus said, noting that he could easily add his number to the listing for the RCMP or Revenue Canada too.
Eatz and Trus explain that Trudeau’s office does not have tighter security controls on Google Maps than say, a Tim Hortons coffee shop.
Trus also worries about how inaccurate information on Google Maps could be used against first responders in the event of a terror attack.
“Take for example the shootings that happened at the YouTube headquarters,” he said. “The police come. They dial the number that they think is the YouTube headquarters, and it goes to a terrorist organization who says, ‘Go to this corner. The shooter is over there.’ Then there is an ambush.”
Google pointed to its “manual and automated system” for detecting fraud and spam, without offering specific details, in a statement to CTVNews.ca.
“We take allegations of fraud very seriously,” company spokesperson Alexandra Hunnings Klein wrote. “When an issue like this one is reported to us, we investigate the claims. Upon completion of the investigation, we take actions in line with our findings.”
Eatz recently presented her concerns to a House of Commons committee undertaking a two-week review of the misuse of Facebook data, following reports that research firm Cambridge Analytica obtained the personal data of millions of users, including more than 600,000 Canadians.
“This is bigger than the Facebook breach,” said Trus. “There needs to be increased security. Listings need to be categorized so that banks are only editable by banks. Law offices are only editable by lawyers. Government offices should be under the lock and key of government. It shouldn’t be this Wild West system where I can add myself as the Prime Minister of Canada, and if I have enough trust, Google believes me.”