How easy is it for hackers to steal your identity? Johnston Press Investigations Team reporter OLI POOLE finds out.
In fewer than two hours, experts uncovered enough information to potentially defraud both me and my family – and you are probably equally vulnerable.
In double-quick time, a team from Cyber 123 and FSecure were well on their way to stealing my identity.
“We are pretty confident we could have scammed you or one of your family members,” said Cyber director Nigel Morgan, whose colleagues had sifted an astonishing amount of my personal data in their lunch break.
Building a social profile using publicly-available information online was the first step.
What they found was easily enough for a compelling episode of This is Your Life.
Barring a beyond-the-grave message from my late hamster, it felt like I’d spent an hour with Mystic Meg.
They knew my age, address, mobile and work telephone number and email address, a detailed work and education history, my living arrangements and much more.
As a journalist, some of the information was easily gleaned from sources like LinkedIn and Twitter – but other details were less obviously sourced.
One tweet, it transpired, opened up a chasm of opportunity, leading to discovery of details about my nephew, pregnant partner and her family.
One chink led to potentially catastrophic conclusions. And while my Facebook profile may have been fairly secure, the lax privacy settings of other family members left us exposed.
Combined with other directory sources like 192, the team had a dearth of data. Even I did not know when my partner’s mother and stepfather moved in together. My would-be scammers did.
The consequences could have be catastrophic.
I was in no doubt speculative cyber attacks were possible.
Although the swift social sifting might not have accessed my bank details, for example, the team were clear unscrupulous individuals could have dug further and it might only have been a matter of time.
I was left scrabbling to do all I could to protect myself in future. A family summit was called and I will always be looking over my shoulder.
Previous articles in the series:
But what can be done?
Wiping your digital record entirely is impossible. If you are a businessman for example, Companies House provides the perfect start. Nigel showed me two scam letters from the Office for National Statistics and HSBC he received in recent weeks. He believes Companies House was the scammers’ hunting ground.
Other personal details will always be available via the electoral roll or directory sites like 192.
Education and awareness of scams is, Nigel argues, the key to protecting yourself, almost expecting you will one day become a target.
He said: “You need to be aware and challenge everything that comes in. You need to be a pessimist.
“For example, if you get a bank letter go to its website and check if the contact details are correct and then ask them if they sent the letter.”
If your social media settings are not set at the highest level, your family and friends may not be. This could open up avenues for scammers.
Spreading the word is a great start to minimising the risk.
How much misery could we have caused?
By Nigel Morgan
Director of Cyber 123
We had enough of Oli’s information – even at this early point – to launch a range of attacks to gain money or more data.
We judged the easiest prey to be Oli’s mother. We could have pretended to be Oli, imitating his email address in a process known as spoofing.
We could have asked her for money to buy a cot for his impending newborn. We could have sent her a web link to a fake order which she might think was genuine but was actually sending us the cash and her bank details.
No IT system could prevent this as our target would think she was talking to her son.
A riskier strategy would be a link to a virus, which encrypted her files and demanded a payment to unlock them. That is ransomware. The virus might be detected but we would not be caught.
We could have gone deeper, attempting to take over Oli’s email account.
We could have used his mobile number and two-factor authentication to trigger a password reset of his email address and intercepted the text. E-mails often unlock most things in your life, so this could have led to more misery and a list of further potential victims.
In reality, Oli might not receive this much attention. Cybercrime is a numbers game - but if someone wanted to target him, they would keep digging.
While steps can be taken, you can never protect every scrap of data. You also need to be alert to potential scams. It is a bit like a burglar looking for a vulnerable home. If the windows are open and a Macbook box is poking out of the recycling bin, you make yourself a target.
Barriers in the way will see them move on.
Top tips to avoid being a hacker’s hero
• Social media - don’t fill in the personal details, like age, email address and phone numbers, sites like Facebook want you to unless you have to. Nigel recalled a customer who was hacked ultimately because he said he was financial director at a named company on Facebook. Hackers accessed his account by guessing his email and password, using information gleaned from his social profiles.
• Social privacy - check your Facebook pages and posts have the highest privacy settings. They are initially open by default. Facebook help sections have handy tips.
• E-mail - use a variety of email accounts for different things. If you have linked an email address to social media, do not use this address for things like online banking.
• Passwords - consider password vault software like LastPass to keep your passwords secure. Never let your web browser ‘remember’ your passwords
• Search for password strength calculators like howsecureismypassword.net to assess the integrity of your passwords, in conjunction with password vaults. Never put your password in them, use a similar one to test.
• Be alert - question everything. If you receive a bank letter asking you to call them, verify the number through the bank’s official website.