'˜Steal my identity' - reporter throws down gauntlet

Johnston Press Investigations Team reporter Oli Poole has found out just how easy it is for online hackers to steal your identity.
By The Newsroom
Published 25th Jul 2017, 10:21 BST
Updated 12th Sep 2017, 11:49 BST
Nigel Morgan and Dave Cutts, back, and reporter Oli Poole, who laid down the challenge for his own online identity to be hacked. Photo by Derek Martin.Nigel Morgan and Dave Cutts, back, and reporter Oli Poole, who laid down the challenge for his own online identity to be hacked. Photo by Derek Martin.
Nigel Morgan and Dave Cutts, back, and reporter Oli Poole, who laid down the challenge for his own online identity to be hacked. Photo by Derek Martin.

In less than two hours, experts uncovered enough information to potentially defraud both me and my family – and you are probably equally vulnerable.

In double-quick time, a team from Cyber 123 and FSecure were well on their way to stealing my identity.

Hide Ad
Hide Ad

“We are pretty confident we could have scammed you or one of your family members,” said Cyber director Nigel Morgan, whose colleagues had sifted an astonishing amount of my personal data in their lunch break.

Building a social profile using publicly-available information online was the first step. What they found was easily enough for a compelling episode of This is Your Life.

Barring a beyond-the-grave message from my late hamster, it felt like I’d spent an hour with Mystic Meg.

They knew my age, address, mobile and work telephone number and email address, a detailed work and education history, my living arrangements and much more.

Hide Ad
Hide Ad

As a journalist, some of the information was easily gleaned from sources like LinkedIn and Twitter – but other details were less obviously sourced.

One tweet, it transpired, opened up a chasm of opportunity, leading to discovery of details about my nephew, pregnant partner and her family. One chink led to potentially catastrophic conclusions.

And while my Facebook profile may have been fairly secure, the lax privacy settings of other family members left us exposed.

Combined with other directory sources like 192, the team had a dearth of data. Even I did not know when my partner’s mother and stepfather moved in together. My would-be scammers did.

The consequences could have be catastrophic.

Hide Ad
Hide Ad

I was in no doubt speculative cyber attacks were possible. Although the swift social sifting might not have accessed my bank details, for example, the team were clear unscrupulous individuals could have dug further and it might only have been a matter of time.

I was left scrabbling to do all I could to protect myself in future. A family summit was called and I will always be looking over my shoulder.

But what can be done?

Wiping your digital record entirely is impossible. If you are a businessman for example, Companies House provides the perfect start. Nigel showed me two scam letters from the Office for National Statistics and HSBC he received in recent weeks. He believes Companies House was the scammers’ hunting ground.

Other personal details will always be available via the electoral roll or directory sites like 192.

Hide Ad
Hide Ad

Education and awareness of scams is, Nigel argues, the key to protecting yourself, almost expecting you will one day become a target.

He said: “You need to be aware and challenge everything that comes in. You need to be a pessimist. For example, if you get a bank letter go to its website and check if the contact details are correct and then ask them if they sent the letter.”

If your social media settings are not set at the highest level, your family and friends may not be. This could open up avenues for scammers. Spreading the word is a great start to minimising the risk.

Nigel said: “We had enough of Oli’s information – even at this early point – to launch a range of attacks to gain money or more data.

Hide Ad
Hide Ad

“We judged the easiest prey to be Oli’s mother. We could have pretended to be Oli, imitating his email address in a process known as spoofing.

“We could have asked her for money to buy a cot for his impending newborn. We could have sent her a web link to a fake order which she might think was genuine but was actually sending us the cash and her bank details.

“No IT system could prevent this as our target would think she was talking to her son.

“A riskier strategy would be a link to a virus, which encrypted her files and demanded a payment to unlock them. That is ransomware. The virus might be detected but we would not be caught.

Hide Ad
Hide Ad

We could have gone deeper, attempting to take over Oli’s email account. We could have used his mobile number and two-factor authentication to trigger a password reset of his email address and intercepted the text. E-mails often unlock most things in your life, so this could have led to more misery and a list of further potential victims.

“In reality, Oli might not receive this much attention. Cybercrime is a numbers game - but if someone wanted to target him, they would keep digging. While steps can be taken, you can never protect every scrap of data. You also need to be alert to potential scams. It is a bit like a burglar looking for a vulnerable home. If the windows are open and a Macbook box is poking out of the recycling bin, you make yourself a target. Barriers in the way will see them move on.”

Related topics:LinkedInTwitter