Sophos Cloud Optix
A British man stole £35,000 (approximately US$ 55,000) from his neighbours’ bank accounts after determining their passwords via personal information they posted on Facebook.
Fortunately, there’s some advice which the rest of us (and indeed online banks) might take away from the story to make all of us more secure in future.
According to a Daily Telegraph report, 33-year-old Iain Wood, of Newcastle, befriended people living in his apartment block, and used their personal details to get past online bank security checks.
Wood would attempt to log into his victims’ bank accounts, and click the button to claim he had forgotten his password.
Using clues gleaned from Facebook and Friends Reunited, he would attempt to help answer security questions such as memorable dates, name of their first school, mother’s maiden name etc.
Wood was reported to be on his computer for 18 hours a day, hunting for personal information related to his neighbours.
The fraud was made easier because Wood targeted people living in the same block of flats as him, giving him the opportunity to intercept their mail.
Typically, Wood changed the address details of victims’ accounts and would withdraw cash with cards he received in the post.
Wood, who pleaded guilty, has now been jailed for 15 months.
As I read this story, a few thoughts rang loudly in my head.
Living in a shared building? Take care with your mail
If you’re sharing a building with many other people, and your mail is left in a communal place, there’s more opportunities for someone to snoop at your mail.
You would have a higher level of security if your sensitive documents were sent to another safer address (your parents?) or required a signature upon delivery. Furthermore, keep an eye open for unexpected deliveries or post that never shows up.
Stop sharing personal information and stop telling the truth
Remember to be extremely careful about what information you share about yourself on the net. It could be a useful piece of the jigsaw for an identity thief or online fraudster.
Get out of the habit of thinking that you need to answer every question on every online form truthfully – does a website really need to know your true date of birth or your mother’s maiden name? Are they going to check if you’re telling the truth or not?
If a website demands that you enter your full date of birth, for instance, then you have a choice:
You can either decide not to use the website, make up a date of birth, or trust it with your real one.
Some websites put in their terms and conditions that you must tell it accurate information, but they have no way of verifying that you did tell the truth – so why risk it? Facebook, for instance, wants you to be honest about your real date of birth, but I imagine that’s more about stopping you pretending to be a 13 year old boy than to tell if you were born on August 14th or March 3rd.
Simply making your date of birth private on Facebook may not be enough – a few years ago they accidentally leaked everybody’s date of birth, regardless of whether users had chosen to make it private or not.
So my advice is to lie about your date of birth when you can, but don’t be deceptive regarding your rough age group.
Similarly with mother’s maiden name (which is a matter of public record) why not make up the answer? For instance, say “Xena Warrior Princess”, “C3PO” or “Malcolm Muggeridge”. As long as you remember it, and no-one else can guess it – that’s all that matters.
Online banks should be doing more to secure our accounts
Fortunately, some banking sites have realised that asking such questions for account security can lead to trouble, and warn users not to enter memorable dates which are dates of birth or your wedding anniversary.
However, there are still some websites which encourage bad practices.
But more than this, we now have many online banks requiring you to use two factor authentication if you wish to transfer money into another account.
Online banking websites which use two factor authentication don’t just rely upon you remembering the answers to a few security questions – you also have to enter a random number, spat out by a portable hardware device you slot your bank card into.
This level of security is harder for fraudsters to get around, and is probably why Iain Wood changed accounts’ mailing address instead.
But why don’t more online banks require you to use your authentication device when you first log into your account, rather than just when you try to transfer money?
Wouldn’t it better to require proper authentication that someone accessing the account is who they say they are, regardless of what they plan to do with the account access, rather than just using it when money is transferred?
I have to use an authentication device every single time I want to log into my Sophos email remotely, and I’m sure the story is the same at many companies with external workers.
So why doesn’t my bank account also require me to authenticate who I am when I first log into my bank account?
Yes, as individuals we need to be more careful about the information we share on social networks and the password reminder questions and answers we choose on websites.
But we should also be calling on our online banks to put higher levels of protection in place to reduce the chances of fraudsters accessing our accounts.
If you’re interested in learning more about security threats and safety on Facebook, I recommend you join Sophos’s Facebook page where a community of over 100,000 people regularly discuss the topic.
I am shocked the video for creating a secure password was not on this post 😉
Also "giving him the opportunity to intercept their mailt." <– t on the end of mail 🙂
Thanks for spotting my typo. Now fixed!
🙂 No problem. Happens to the best of us.
A quick cheer for HSBC, who have just started to roll out authentication devices to log on to their internet banking. Certainly makes it feel more secure.
The real problem is human nature, after watching the secure password video I created a much better password, problem is that changing all of them is a hassle, not to forget trying to remember you new password. long story short, I've changed my two gmail accounts but nothing else. also I tend to use the same password everywhere.
One thing I do is have two sets of passwords, an easy one for websites such as newspapers and a more challenging one for banking etc
Maybe try using a password management program (also known as a password vault) to remember your passwords for you in a secure fashion?
KeePass for instance is free and open-source and highly regarded. There are others.
… Like LastPass
The problem here though Graham which people worry and concern them selves about is – When they are not at their machine how do they remember these logins etc?
I've been after friends on facebook to get rid of mmddyyyy and just use mmdd if they need the birthday wishes. Some of the responses have bugged me. The most common is that 'criminals have other ways of getting information' – albeit true I tell them why not eliminate what you can!! Sometimes I don't understand human nature!!!
I assume ‘Xena warrior princess’ is your mother’s maiden name ?
This is indicative of the out of date security methods that banks & many other companies still employ. Why is information like your mother's maiden name, first school or place of birth considered in any way priviledged in this day and age?
Authentication devices are a pain. How many are you prepared to carry around all day every day? Soft solutions are much more convenient. Having the hardware is not foolproof proof that you are who you say you are.