Sunday, May 3, 2009

My (brief) life with the cybercriminals: an object lesson for us all

Who hasn’t THIS happened to? You’re going along minding your own business when suddenly you discover that Nigerian cybercriminals have hijacked your email account, stolen your identity, and are now posing as you by sending out emails asking your friends, family, and associates to send you money in London, where supposedly you are stranded after having lost your wallet! You have no ability to regain control of your email account because the cybercriminals have changed both your password and all of account’s security settings, so you can’t even prove that the account was ever yours! Sound familiar?

Well, if not, don’t think it couldn’t happen to you. Reportedly, this kind of thing happens to about 80,000 email account holders every single month. And last month, it happened to innocent little me.

Okay, okay, so I don’t really know that they were Nigerians. They could just as easily have been Poles or Russians, or even people from Moldova. The fact is that the internet gives everyone with access an equal opportunity to think up a scam and implement it. Nigerians are at the forefront of many of these deceptions, but they have plenty of nefarious company from Eastern Europe and elsewhere. I admit that I don’t know who did it, but I can now surmise how it was done. And knowing the how is valuable information for those who would like to avoid my fate.

I first got the suspicion that something was terribly wrong when my father-in-law called my wife to ask her how I was doing and whether it was true that I was visiting London. My wife assured him that I was perfectly fine and was definitely not in London. Then why, he wondered, had Bryan just sent him an email asking for money to be sent to London to help him get home? Gosh, I don’t know, she replied. She yells “Bryan, did you send my Dad an email?” I replied that I had not--and that could have been the end of that. Except for the fact that about an hour later I got an inquiry from an old friend with a question along the same lines. No, I was not in London! Don’t send money.

What was going on? Then I remembered that when I had tried to access my email account the previous evening I had been unable to do so. My password was not accepted and I was locked out of the account. Now I tried to sign in again, but I was still locked out. Then someone forwarded the email to me that I supposedly had just sent them (reproduced here with the incorrect syntax and spelling intact):

“Hello, How are you doing ? hope all is well with you and family,i am sorry that i didn't inform you about my traveling to England for a program called Empowering youth For social change. I need a favour from you as soon as you receive this e-mail, I misplaced my wallet on my way to the hotel where my money and other valuable's were kept. Urgently assist me with a soft loan of $2,500 to sort-out my hotel bills and get myself back home. I will appreciate whatever you can afford and i'll pay you back as soon as i return,Kindly let me know if you can be of help? so that i can send you the details to use when sending the money through western union. Regards,Bryan”

Well, anyone who knows me would, I hope, also know that I am a much better writer than is evidenced by this missive. Where is the pathos? Where is the stirring call to action that anyone should have expected of me? And that use of the British spelling (“favour”) was just so not me! I was impressed, however, with the cybercriminals’ correct use of the possessive “my” in the sentence stating that I had failed to inform the recipient about “my traveling to England.” Most cybercriminals probably would have been satisfied to use the ungrammatical “me” at that juncture.

Anyway, here’s the point. Some gang had taken control of my account and was engaged in a form of identity theft: my identity. The fact that they were, to some extent, fools did not mitigate the fact that I was no longer in control of my email account, one that had been mine for the past 15 years or so. How could this happen?

Well, here’s how. I had a very short, simple password for my email account at Hotmail (part of Microsoft, by the way). And more importantly, this password was the same one that I also used for many other on-line accounts (such as for signing on to catalog-order sites and web-based retailers). In hindsight I now understand that using the same password for multiple purposes is an absolute no-no. But like many others, I suffer from both a lack of creativity and a poor memory. One password for everything seemed like a fine idea at the time.

But it’s not. For even though it is unlikely for cybercriminals to directly hack into the site of an email provider such as Hotmail, it is not so rare for these guys to hack into the server of an internet retailer or other on-line service company. Once the thieves have done this, they immediately have knowledge both of the password you use on the site they’ve hacked and (in most cases) your email address as well. If you are one of the many people who use the same password for virtually everything, knowing your email address and your password on the site they have hacked has just given them access to your email account. They simply go to Hotmail (or whatever company you use as your email provider) and try the password to see if it works. If it does, they are then into the account as you. At which point they change the password and the security settings so that when you go to sign in you can’t. And when you go to reset the password you can’t do that either (because these devious guys pretending they are you have already changed the password reset question from “What was your first grade teacher’s name?” to “What is your father’s middle name?” Guess what, you don’t know that the answer to the new question is “Kashimawo.” And the city that Hotmail had previously thought you were located in has been changed from “Seattle” to “Lagos.”) You lose.

So the answer is: use a unique password for your email account, one that is used by you on no other website. It is also better to have a longer password than mine was (pesker), and still better to have an alphanumeric password than otherwise. Though I got away being a password innocent for more than a decade, take a lesson from my experience.

I now have a new email account with a long alphanumeric password that I use for no other purpose. But while I have wised up, the cybercriminals who hijacked my account apparently haven’t. They are still wasting their time trying to get money from my contacts. I heard from a friend that just a couple weeks ago she had been in a chat session with the Nigerian Bryan Tagas, who had lowered the amount of money he said he needed from $2,500 to a measly $600.

Still, no takers.

[I am indebted to Ira Glass of This American Life for my opening line. In a teaser spot for a then-upcoming This American Life on NPR he introduced the week’s story along the following lines:

Who hasn’t THIS happened to? A widow contracts with a cryogenics company to freeze her dead husband in case there’s ever a cure for his disease. Only she later discovers that the cryogenics company owner failed to tell her… (Voice of the Cryogenics Company Owner: “Well, if there’s one thing I’m a bit embarrassed about it’s the fact that I didn’t tell her that I was putting her husband in a cylinder with several other dead bodies…”).

I just love Ira’s show and if you’re not a fan yet, just listen to the show one time and you will be. It’s available on podcast:]

[The above photo, courtesy of Flickr, shows the passport and other documentation of an actual Nigerian email scammer!]

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.