Fraudster jailed after pillaging Facebook accounts for personal information

Filed Under: Facebook, Featured, Law & order, Phishing, Privacy, Social networks

Iain WoodA British man stole £35,000 (approximately US$ 55,000) from his neighbours' bank accounts after determining their passwords via personal information they posted on Facebook.

Fortunately, there's some advice which the rest of us (and indeed online banks) might take away from the story to make all of us more secure in future.

According to a Daily Telegraph report, 33-year-old Iain Wood, of Newcastle, befriended people living in his apartment block, and used their personal details to get past online bank security checks.

Wood would attempt to log into his victims' bank accounts, and click the button to claim he had forgotten his password.

Using clues gleaned from Facebook and Friends Reunited, he would attempt to help answer security questions such as memorable dates, name of their first school, mother's maiden name etc.

Wood was reported to be on his computer for 18 hours a day, hunting for personal information related to his neighbours.

The fraud was made easier because Wood targeted people living in the same block of flats as him, giving him the opportunity to intercept their mail.

Typically, Wood changed the address details of victims' accounts and would withdraw cash with cards he received in the post.

Wood, who pleaded guilty, has now been jailed for 15 months.

As I read this story, a few thoughts rang loudly in my head.

Living in a shared building? Take care with your mail
If you're sharing a building with many other people, and your mail is left in a communal place, there's more opportunities for someone to snoop at your mail.

Residential mailboxes

You would have a higher level of security if your sensitive documents were sent to another safer address (your parents?) or required a signature upon delivery. Furthermore, keep an eye open for unexpected deliveries or post that never shows up.

Stop sharing personal information and stop telling the truth
Facebook bank fraudRemember to be extremely careful about what information you share about yourself on the net. It could be a useful piece of the jigsaw for an identity thief or online fraudster.

Get out of the habit of thinking that you need to answer every question on every online form truthfully - does a website really need to know your true date of birth or your mother's maiden name? Are they going to check if you're telling the truth or not?

If a website demands that you enter your full date of birth, for instance, then you have a choice:

You can either decide not to use the website, make up a date of birth, or trust it with your real one.

Some websites put in their terms and conditions that you must tell it accurate information, but they have no way of verifying that you did tell the truth - so why risk it? Facebook, for instance, wants you to be honest about your real date of birth, but I imagine that's more about stopping you pretending to be a 13 year old boy than to tell if you were born on August 14th or March 3rd.

Fake Facebook date of birth

Simply making your date of birth private on Facebook may not be enough - a few years ago they accidentally leaked everybody's date of birth, regardless of whether users had chosen to make it private or not.

So my advice is to lie about your date of birth when you can, but don't be deceptive regarding your rough age group.

Similarly with mother's maiden name (which is a matter of public record) why not make up the answer? For instance, say "Xena Warrior Princess", "C3PO" or "Malcolm Muggeridge". As long as you remember it, and no-one else can guess it - that's all that matters.

Online banks should be doing more to secure our accounts
Fortunately, some banking sites have realised that asking such questions for account security can lead to trouble, and warn users not to enter memorable dates which are dates of birth or your wedding anniversary.

However, there are still some websites which encourage bad practices.

Two factor authenticationBut more than this, we now have many online banks requiring you to use two factor authentication if you wish to transfer money into another account.

Online banking websites which use two factor authentication don't just rely upon you remembering the answers to a few security questions - you also have to enter a random number, spat out by a portable hardware device you slot your bank card into.

This level of security is harder for fraudsters to get around, and is probably why Iain Wood changed accounts' mailing address instead.

But why don't more online banks require you to use your authentication device when you first log into your account, rather than just when you try to transfer money?

Wouldn't it better to require proper authentication that someone accessing the account is who they say they are, regardless of what they plan to do with the account access, rather than just using it when money is transferred?

Remote accessI have to use an authentication device every single time I want to log into my Sophos email remotely, and I'm sure the story is the same at many companies with external workers.

So why doesn't my bank account also require me to authenticate who I am when I first log into my bank account?

Yes, as individuals we need to be more careful about the information we share on social networks and the password reminder questions and answers we choose on websites.

But we should also be calling on our online banks to put higher levels of protection in place to reduce the chances of fraudsters accessing our accounts.

If you're interested in learning more about security threats and safety on Facebook, I recommend you join Sophos's Facebook page where a community of over 100,000 people regularly discuss the topic.

, , , , , ,

You might like

13 Responses to Fraudster jailed after pillaging Facebook accounts for personal information

  1. Antony · 1517 days ago

    I am shocked the video for creating a secure password was not on this post ;)

  2. Antony · 1517 days ago

    Also "giving him the opportunity to intercept their mailt." <-- t on the end of mail :)

  3. Mario · 1517 days ago

    A quick cheer for HSBC, who have just started to roll out authentication devices to log on to their internet banking. Certainly makes it feel more secure.

  4. Rob Madrid · 1517 days ago

    The real problem is human nature, after watching the secure password video I created a much better password, problem is that changing all of them is a hassle, not to forget trying to remember you new password. long story short, I've changed my two gmail accounts but nothing else. also I tend to use the same password everywhere.

    One thing I do is have two sets of passwords, an easy one for websites such as newspapers and a more challenging one for banking etc

    • Maybe try using a password management program (also known as a password vault) to remember your passwords for you in a secure fashion?

      KeePass for instance is free and open-source and highly regarded. There are others.

  5. Jack · 1516 days ago

    I've been after friends on facebook to get rid of mmddyyyy and just use mmdd if they need the birthday wishes. Some of the responses have bugged me. The most common is that 'criminals have other ways of getting information' - albeit true I tell them why not eliminate what you can!! Sometimes I don't understand human nature!!!

  6. Mike · 1516 days ago

    I assume 'Xena warrior princess' is your mother's maiden name ?

  7. "Peter" · 1514 days ago

    This is indicative of the out of date security methods that banks & many other companies still employ. Why is information like your mother's maiden name, first school or place of birth considered in any way priviledged in this day and age?

  8. Gadget37 · 1514 days ago

    Authentication devices are a pain. How many are you prepared to carry around all day every day? Soft solutions are much more convenient. Having the hardware is not foolproof proof that you are who you say you are.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley