What is Identity Theft
There are myriad ways for the bad guys to get your information and use it for all sorts of nefarious purposes—mainly, stealing your money, although occasionally for other kinds of fraud or to cover their tracks when committing additional crimes. That’s one of the big reasons identity theft can be so devastating.
If a criminal steals your credit card information, your bank will likely refund you the money that was lost. If the same criminal impersonates you to run an international child pornography ring. This blog explains the several examples of identity theft.
How does it happen? We’ll examine the many methods of identity theft in the next sections, and we’ll also show you how you can protect yourself from being a victim or fight back if you already are.
The methods of ID theft range from the seriously low tech (such as digging through your trash for unshredded financial documents or stealing those new credit cards that the bank sends you unexpectedly) to sophisticated database breaches and other hacks staged half the world away by large crime syndicates to fund cyberterrorism operations.
MANY TYPES OF IDENTITY THEFT
Criminals impersonate you online for a range of different reasons and in a variety of ways. For cyberstalkers, the impersonation is usually part of a larger cyberbullying effort. But in most cases, the motivations are financial.
Whether it’s designed to get bank cards or bank loans in your name, obtain credit in your name, or impersonate you to use your existing credit, identity theft is usually a gateway cybercrime— an initial act, atop which lie other criminal schemes. So really, “identity theft” should be thought of as a family, or a category, of cybercrime.
Even though it’s common for victims to be reimbursed by banks or credit card companies, the damage done by ID theft can affect you for years. Your credit score and history are the main ways that banks, car dealers, and other lenders determine the risk of extending you credit, and the black marks can be hard to erase.
A Taxing Scheme One of the fastest growing crimes in America is tax return fraud, which can net identity thieves thousands of dollars for each successful impersonation they make to the IRS.
The criminals get hold of your Social Security number and personal information and then create a tax return in your name that shows a modest overpayment on your part.
The return is filed online using software, and within days, the IRS sends out a refund to “you”—at the address given by the thief. The refund is typically made using prepaid Visa cards, which can be easily exchanged for cash or property.
HOW MIGHT YOU BE VULNERABLE?
The vast multibillion-dollar cybercrime industry can be divided into three basic categories, each with its own objectives, although at the end of the day, the result is the same:
You’ve been had. Understanding the differences, and what happens at each stage of the game, can help you stay safe. Here’s how these crimes roll out.
WHY IS IT CALLED PHISHING?
Phishing is a term used to describe some of the most widespread and effective methods for obtaining information online. The term itself is a mash-up of two words—”fishing” and “phreak.”
The fishing part is just what you’d imagine: to fish for victims or data by using electronic bait, hooking victims, and reeling them in—an obvious and accurate metaphor for the act itself.
The alternate spelling is a nod to the pre-internet practice of telephone-system hacking known as phone “phreaking,” done by “phreaks.” This is related to another hacker practice, called “’leet speak,” which substitutes numbers for letters and some letters for others to create an often goofy insider jargon.
It’s quaint today, but you will still see versions in chat rooms, as hackers somewhat jokingly refer to one another as “133t H4×0r5,” or “elite hackers.”
TEACH A MAN TO PHISH
Phishing isn’t one specific thing. Rather, the term is used for a wide range of methods designed to gain access to your information. Understanding what those methods are, along with the basics of how they work, is central to both recognizing and avoiding many of the risks you face online.
So before we go any further, let’s do a quick overview of the many types of phish in the sea and the ways they can bite. Here are three common methods that these criminals will try when going after your data.
Voluntary Disclosure The first method is diabolically simple: Attackers use a rich mix of psychological techniques, known collectively as social engineering, to get you to give up the goods, essentially conning you into giving away the information that they want.
People are generally trusting, and it’s amazing how much information the average person will give up simply because someone happened to ask them in the right way.
Malicious Attachments In these cases, computer users are tricked by some compelling message into opening a poisoned email attachment, which then installs malicious malware on their machine, thus giving the hacker access to their computer or network. These masquerade as documents that the users “requested,” photos they “just have to see to believe,” and the like.
Malicious Links Because many email systems can now block out malicious email attachments, some attacks will use malicious links to drive the user to an infectious web page instead. Most people are so accustomed to clicking on links almost automatically that this technique is highly effective.
Most of these links are disguised to boot—an image in the email with a logo or a line of text displaying an address or site to visit that is actually a cover for a malicious web address which a hacker has set up for just this purpose.
TYPES OF PHISH There are a lot of phishing schemes in the sea. You’ve probably been exposed to at least a couple of the examples listed below—and hopefully, you didn’t fall for them, although if you did, you’re one of the millions of people who have. Using the information below, you’ll be better able to spot these scams and steer clear.
TYPE OF SCAM CLASSIC PHISHING
A fake website “spoofs” or closely resembles a real one, into which users enter their access credentials, identity data, or other sensitive information.
As the name would imply, this is a highly targeted attack, often designed to victimize a small, specific group or even one individual, using highly personalized messages that may be the result of hours or even weeks of online reconnaissance on the target.
The spearphishing of a high-profile or high-value individual, such as a CEO or celebrity, that is, a “big fish” or whale.
The use of fake online personas or profiles to create a phony emotional or romantic relationship, either for financial gain or access to sensitive information.
Scams or data thefts that leverage phishing-like techniques but target phone users over voice lines or SMS.
“MY IDENTITY ISN’T WORTH STEALING!”
FALSE Attackers are smart, and they seek the easiest path to their ultimate target. Often, that easiest path runs through your computer is you. You may say, “I just have photos of my grandkids on my hard drive.” But your machine is connected to the internet, making it a target.
Hackers can hijack your computer and join it into a secret global network for spam, attacks on other computers, and more nefarious activities. While they’re at it, they might just steal your banking information as well.
It is also not unknown for hackers to destroy a computer, so that even those family photos that are priceless to you, while worthless to others, end up lost with the dead computer.
PHISHING EMAILS ARE EASY TO DETECT
FALSE A lot of people believe that they can easily tell when they’re being phished through email.
But more and more often, scammers are crafting messages that appear to be from a legitimate source, such as your bank or your Amazon or eBay account, complete with a full page of images and icons from those sites duplicating a genuine email—but secretly redirecting an unsuspecting user to another site.
You can sometimes confirm it’s a fake by moving your mouse over the link (without clicking) and seeing another address pop up in the preview. But just to be on the safe side, you should always enter the address yourself, never by clicking links.
DEFEND YOURSELF AGAINST PHISHING So
if the thieves are smart, and not even the rich and famous can protect themselves, does that mean you’re hosed? Not at all. That’s because in most cases, victims fall for these attacks not out of a lack of resources but a lack of awareness.
An astute and informed user with a zero-dollar budget is harder to victimize than an oblivious and untrained one with all the money in the world. Here are five simple steps you can take, starting right now, that will make you a significantly tougher target for phishers.
Be Aware Simple awareness is the first line of defense. Be suspicious. Understand and believe that you are a target. Treat any message in any electronic medium from someone you don’t know as highly suspect.
Use the Hover Test Any modern email program will show you the destination of a hyperlink if you mouse over it without clicking. This “hover test” can help you spot suspicious links in any email you’ve received. If the visible link and the underlying destination don’t match exactly, don’t click!
Check the URL Learn how to properly read a web address. The name of the site you’re visiting is the last thing to the left of the first single slash, not the first thing to the right of the double slash. Phishers constantly use this lack of knowledge to trick people.
SAFE: : http://www.amazon.com/
Be Attachment Phobic Malicious attachments are the number one way to let password stealers, Trojan horse viruses, and other nasties get onto your computer. You should only open attachments from people you know, and even then limit yourself to messages you’re expecting, such as an invoice for services you actually have received.
Confirm Out-of-Band If you happen to receive a suspicious message or a request for information that seems too personal, even from individuals or companies you trust, confirm the request via a different medium.
For example, if they email you asking for your information or requesting that you click the link to their website to correct an issue, try visiting their website or calling them by phone.
And remember, type the web address out manually or find the phone number yourself. Never rely on the link or phone number in the suspicious message. Those could both be fakes run by the phisher!
YOU’RE NOT ALONE
Millions of ordinary citizens have been victimized by one type of hack or another. Even the smart, powerful, and rich have been victims. For example, real-life rocket scientists at NASA have had their computers taken over by Chinese hackers.
The U.S. government has concluded that Russians hacked the DNC and that Anonymous hacked Donald Trump during the 2016 election.
A password manager site or an application like LastPass, Dashlane, or 1Password can generate, store, and encrypt a list of passwords for you, import any passwords that you have previously created yourself from browsers, analyze the strength of a password, and more.
Just be sure that you can remember and keep secure the master password to the account itself—and luckily, many password managers also offer two-factor authentication (see facing page) for an added layer of password protection.
CREATE A POWERFUL PASSWORD
Now that you know what to avoid in emails, what’s the next step? Well, every online account requires an account name (often derived from your own name or email address) and a password. The following guidelines can help you come up with passwords that are as unbreakable as possible.
One Size Does Not Fit All Look at the keys on a key ring: Each is a different design and cut. Just as each key is made to fit a specific lock, each password should be unique to the account it’s used for.
Otherwise, if you’re a victim of ID theft, whoever stole your information will have access to every single account of yours that the criminal can think to try.
Bigger Is Better Some sites limit how long your password can be. While a long password may be hard to remember, it’s harder for a hacker to break, even with brute-force methods (that is, using programs that try every single possible combination of characters).
Get Complicated Passphrases that are easy to remember, but anything that uses dictionary words is easily hackable. Avoid simple substitutions, too, such as “p4ssw0rd” instead of “password.” Use every single type of character you can: lowercase and capital letters, numbers, punctuation, and anything else available.
Finding a number between 0 and 9 is easy for a hacker or ID thief; finding the right character in a total of sixty-two numbers and lowercase and capital letters are massively more challenging, especially the longer the string gets.
If you have to write down a password to help remember it, keep said document hidden and safe from prying eyes or theft or consider using a password manager.
Change Is Good Don’t just come up with a password and then leave it be. Change your passwords frequently and, if at all possible, never reuse one. If hackers steal older data, they may score a hit if you’re using that old password for a new account.
WHO WANTS TO KNOW?
Sometimes an extra layer of protection, called “knowledge-based authentication,” or KBA, is added to your password, either in addition to your basic login and password or to verify your identity if you’ve forgotten your password. Of course, like many other defenses, this tool can also be turned against you.
Static KBA Also known as “shared secret questions,” these are questions along the lines of your mother’s maiden name, the town where you were born, and so forth—often matters of public record.
In addition, this information is stored somewhere, so it can be stolen, which means that even the weirder questions, like “Who’s your favorite poet?” aren’t secure.
Dynamic KBA Here, questions are generated in real time from a range of public and private records. You don’t know what questions will be asked, but, hopefully, you’ll remember the answer.
USING THE POWER OF TWO
Two-factor authentication, also called “2FA,” is like a counter password in a spy novel (“The blackbird sings at midnight”; “But only under a full moon”) or two people turning keys at the same time to launch a missile.
Often available as a mobile app or a physical token (something like a key ring tag) that only you would have access to, 2FA uses a shared algorithm attached to your account.
After typing in your password, you’re prompted to use the app or push a button on the tag to generate the authentication key based on that algorithm, usually a short string of numbers randomly created on the spot.
If an account offers 2FA (such as Google Authenticator), use it, and your accounts will be that much harder to compromise. If you should lose the token or the mobile device with the app, replace it ASAP so you can keep your account safe.
The rest of this blog explains how you can help yourself when you are the victim of identity theft. If you don’t, it can cost you dearly when applying for a car loan, mortgage, or credit card. It could also make it harder for you to find a job, rent an apartment, or buy insurance.
The first thing you must do when you are a victim of identity theft is to get organized. The seven-step checklist here is just a suggested series of steps; customize it as necessary to your needs.
STEP 1 FILE A POLICE REPORT
If you discover you have been victimized, contact the non-emergency number of your local police department and ask to speak to a detective.
STEP 2 GATHER DOCUMENTS AND EVIDENCE
Contact your nation’s consumer protection agencies, as well as stores and creditors to gain copies of the documents used to open accounts in your name.
STEP 3 CREATE AN AFFIDAVIT AND ID THEFT REPORT
Your local consumer protection agency should be able to provide documents you will need and demonstrate how to present them. They also provide sample forms for an identity theft report, which, along with your police report, will help speed up the process with creditors, banks, and other agencies.
STEP 4 INFORM THE CREDIT AGENCIES AND CREATE AN EXTENDED ALERT
To establish a fraud alert with the credit agencies, contact them directly. You will need to reissue the alert every ninety days.
STEP 5 INFORM YOUR BANK, CREDITORS, AND MERCHANTS
With the package you’ve created, contact your bank and other creditors and merchants with whom you have accounts and inform them of the issues you have faced.
STEP 6 PROTECT YOUR SOCIAL SECURITY NUMBER
If your number was misused, inform the national agency and request information on an ID Theft Affidavit. You may also wish to contact your agency if your Social Security number is being continually abused or phone to victims of identity theft.
STEP 7 MONITOR YOUR CREDIT
You are entitled to at least one free credit report per year, but that is often insufficient for monitoring. There are several commercial companies offering these services, and we recommend you seek professional advice on which to choose.
Several nonprofit organizations are out there to help victims, offering assistance to victims of identity theft by internet or phone.
SYNTHETIC ID THEFT
This blog deals with the theft of someone’s actual identity, but here’s a new twist: synthetic identity theft. That’s when an identity that has never before existed is created by scammers.
Identity thieves typically seek to obtain names, national identity numbers and dates of birth, medical account numbers, addresses, birth certificates, death certificates, passport numbers, bank account or credit card numbers, passwords (like your mother’s maiden name or children’s or pet’s names), telephone numbers, and even biometric data (such as fingerprints or iris scans).
With synthetic ID theft, thieves only need some of this information to create a whole new fake person.
Thieves then create a credit file—the closest thing in the digital domain to conjuring up a human. This exploits a weakness in the authentication scheme used by credit reporting agencies: If identity doesn’t exist when it is checked, a new file is created. And a file? That’s gold.
Credit Where No Credit Is Due The best thing to do with a synthetic ID is built its credit over time. This can be done in the traditional way— almost anyone can get a high-interest, low-limit, unsecured credit card at a hardware store, so the idea is to get one, then buy a hammer and pay it off over time.
To get fancier about it, they might join up with a “data furnisher” who works at business and will write up a phantom credit account for our spooky friend, showing scheduled payments made over time to speed things up. There’s an entire industry around this because the stakes are very high.
The most common way is to conjure up children. This is because, for the eighteen years or so after most kids are born, they don’t do anything with their credit.
During that time, anyone who establishes a credit file for the young one in question would likely be free from any interference until someone notices—that’s typically at just about the worst time: when the kid applies for a college loan.
The best way to protect against misuse of your child’s credit is the same as it is for yours: Check it regularly, and check on it as often as you can. Should you happen to see fraudulent accounts, yell early, often, and loudly.
If you are on active duty in the military, it is recommended that you put an active duty alert on your own credit files by contacting any one of the three major credit agencies.
Credit agencies all share active duty alerts. Each alert will stay in your files for at least twelve months. If someone applies for credit in your name, creditors will take extra precautions to make sure that the applicant is really you.
Here’s how to apply the lessons of this blog, whether you’re looking for basic safeguards, enhanced security, or super-spy measures to safeguard your privacy.
Use strong passwords.
Use different passwords for every site.
Use a password vault program.
Never share your login information with anyone.
Don’t click on suspicious links or download unexpected files.
Always use two-factor authentication.
Don’t get kids social security cards unless necessary.
Check your kids’ credit at least quarterly.
If any service provider’s site uses weak KBA, take your business elsewhere.
File your taxes the old-fashioned way, on paper.
Eschew electronic information wherever possible.
WHAT LAWS PROTECT YOU? In virtually every place you care to look, identity theft is considered a federal crime.
But it can still be next to impossible to actually get a federal office to investigate your individual case of identity theft—well, unless you are famous, or rich, or there is something larger at stake connected to the theft itself.
Most states have their own laws against identity theft as well, and your local police department may have a program that can help you—ask them what resources are available in your area.
Ultimately, however, you may simply be on your own, as it can be difficult to track down a specific perpetrator of identity theft (especially given that you may just be one of many victims caught in the same sweep). Usually, the best you can do at the local level is work to limit the damage done and clear your name.
WHERE THE MONEY IS
In his autobiography Where the Money Was: The Memoirs of a Bank Robber, America’s most celebrated bank robber, Willie Sutton, denied ever saying that he robbed banks because “That’s where the money is.” Nonetheless, it’s a great line. And for cybercriminals, it’s a directive. Where is the money these days? On the internet.
Even garden-variety spammers and botnet managers can expect to bring in $20,000, $30,000, even $50,000 USD a week.
If you’re bad at it, you’ll make less. If you’re good at it… well, the FBI said that the hacker and criminal-empire builder known as Dread Pirate Roberts was earning $1 million USD per week before his arrest. That’s seven dollars and fourteen cents every second.
And you don’t even have to be a criminal to pull down big bucks from hacking—even the so-called “white hat hackers” (also called “ethical” hackers) can have a payday, too.
The FBI is said to have paid a cool million for the hack that enabled the bureau to access the iPhone belonging to one of the suspects in the 2015 San Bernardino mass shooting, and in September of 2016, Wired magazine reported that a high quality, previously unknown iPhone hack had been sold for $1.5 million USD.
In short, both bad guys and good guys hack… because that’s where the money is.
THE ELECTRONIC ECONOMY
When the average person thinks of the economic side of cybercrime, what comes to mind is theft… someone stealing your credit cards or other funds electronically. And, indeed, this is a massive business, with some $15 billion USD stolen electronically every year.
However, there are other sketchy ways that money changes hands (or flies out of your wallet) online. In this blog, we’ll examine a number of them—and how to protect yourself.
Identity Politics Often times, a phishing expedition or other sort of identity theft is just the first step in a series of attacks. While an identity thief may use data stolen from you for a number of purposes, as discussed in the previous blog, the most common is to steal your money or use your identity as a shield for a larger theft.
That’s why it’s so crucial to do your due diligence when you discover identity theft or fraud. After all, your credit card will almost certainly refund any fraudulent charges as long as you promptly report the card missing and file a police report, if required.
However, if the thief then goes on and uses your identity to front a multimillion-dollar international con game, that would be a little less easy to resolve with a call to your local customer service rep.
Shady Sales Criminals don’t have to steal your identity to get their hands on your money. You might be willing to hand it to them with a smile.
We’ll talk about the deep end of unofficial online markets in future blogs, but know that you don’t have to be buying an AK-47 or a kilo of heroin to be part of the underground economy. It can be much more mundane on the so-called gray market.
There is a multitude of ways that criminals can steal your data, from hacking into computers to pulling confidence scams.
A particularly cruel form of cyber theft targets the elderly. Every year, American senior citizens lose $2.9 billion to financial fraud. A study published by the National Health Institutes concluded that, basically, the older you get, the more susceptible you are to scams. Age was a stronger predictor than financial acumen, wealth, education, or health.
That’s why so many online scams target the elderly. The over-seventy set is less likely to be computer savvy and thus falls prey to the “tech support phone call” scams, in which a helpful young man informs you that your computer has been malfunctioning; for just $29
USD, he can fix the problem. All he needs is a credit card number. This scam also manifests in a more aggressive form, as an “IRS auditor” calls to demand immediate payment on mysterious back taxes.
Wherever in the world, you’re located, you can find helpful tips on spotting and fighting common scams at the American Association of Retired Persons’ website, updated monthly as new scams emerge.
Health and Beauty Products Gray-market sales of health and beauty aids run to 20 percent of authorized sales in most markets… and as high as 50 percent of authorized sales in some. That may seem harmless, but knockoff makeup and toiletries can cause severe allergic reactions, so shop accordingly.
T/F TONER IS WORTH MORE THAN GOLD
TRUE Toner cartridges for your laser printer are ridiculously expensive, and most of what you’re buying is the cheap plastic casing. The cost and the value to the consumer are in the few ounces of toner inside. Online fakes routinely sell for 10 to 20 percent of retail but could destroy your expensive printer. Don’t risk it.
Another example of these economic forces is that of cigarettes. Highly taxed, simple to produce, and high-value by weight, cigarettes are perfect for counterfeiting.
Do counterfeiters take advantage of this? Well, consider that border authorities in the UK intercept an average of one million counterfeit cigarettes—every single day.
Watch for Counterfeits Some items are so prone to counterfeiting and knockoffs that, if you must buy online and want to ensure they’re real, but only from reputable sellers.
Shoes from Zappos, toner from Staples, car parts from AutoZone, or CDs from Amazon are likely fine due to the strict controls used by these major retailers.
The same goods from unknown sellers on eBay or Alibaba are almost certainly fake. That’s okay for stockings, less so for your auto parts.
Never Ever Some things you should just never buy sight unseen online. This list includes significant assets, such as cars, boats, real estate, and so forth, which likely won’t exist when you try to claim them; high-end jewelry; and prescription drugs or anything else your health or life might depend on.
As easy as it is to use your mobile phone to check your bank balance, pay bills, or transfer funds, you should still be wary, or even dispense with doing mobile banking entirely if you can.
Aside from the obvious risk of losing your phone or having it stolen with any pertinent personal info on it (especially if you happen to have left it unlocked and unencrypted), there are two major issues with mobile banking:
The apps offered by most banks do not support two-factor authentication and furthermore, many of the apps will accept any sort of security encryption info—even false info that a hacker can use for a man-in-the-middle attack on the bank’s security and thus the security of your own account as well.
You have to wonder: do these crazy schemes actually pay off? Given that they pop up over and over, they must pay off often enough that some people keep trying them, it would seem.
Stranded in London One modern scam takes advantage of how common global travel has become. The “Stranded in London” gambit begins with someone hacking into your email address blog and harvesting all of your contacts.
Each is then sent an urgent message saying that while on a trip to London you were arrested or mugged or injured and hospitalized.
The story varies but always ends with a desperate plea for the recipient to wire money immediately.
The same virus that steals the contacts also shuts down the email account, so you don’t see the emails from concerned friends and family asking whether you’re okay, how you got to London, and which hospital you’re in. Versions of this are also used after the takeovers of Facebook accounts.
If this sounds familiar, it’s because the Spanish Prisoner is the basis for the entire family of confidence swindles known as “advance-fee fraud.” As you can see, this isn’t exactly new—the Times article pointed out that the scam was—in 1898—already an old one.
Make sure your money stays in your pocket (or your bank account or online wallet) by taking the measures below—at the very least you must apply the basics.
Follow up on mystery bills or collection calls immediately.
If you lose your wallet, report aLL cards missing immediately.
If you get a text or email from your bank asking you for the info, call a branch to make sure it’s legit.
If a get-rich-quick scheme seems too good to be true, it almost certainly is.
Check your credit report regularly.
File a police report after fraud of any amount.
Only use CHIP-and-signature cards (or CHIP+PIN when available).
The idea behind every one of the scams you’ll find within this blog, from the historic to the modern, from the in-person grifter to the fictional Nigerian banker or prince halfway around the world, is the idea of the “con.”
These scammers are working to gain your trust in order to convince you to bring them into your confidence (hence the term) and to make you believe that their sob stories or their threats or their bribes are true. As the old saying goes: “If the story sounds too good to be true, it probably is.”
Before you react right off the bat—whether you’re doing so out of charity, fear, or a desire to get in on the riches—take a moment to pause, think it over, and spend a few minutes to do some research. More often than not, you’ll discover that it’s just another con and shouldn’t be trusted.
PROTECT YOUR PRIVACY ONLINE
As high-speed internet connections become available around the world, more and more of our lives are migrating online. People keep their résumés on LinkedIn, tweet links to their Instagram feed, and use Facebook for pretty much everything. And those photos and videos that used to eat up your hard drive space? You stashed those online, right?
After all, if everything is password protected, it must be secure! That’s the promise of “the cloud,” a fluffy name for a network of servers on the public internet that let you stash your private documents, photos, and more. Imagine a massive train station with multiple banks of lockers.
Anyone can enter the station, but if you stash your valuables in a locker, only you have the key that can open it—until someone secretly duplicates your key (i.e., steals your password) or just pries it open with a crowbar (i.e., uses malicious code that compromises your private files).
The cloud is growing every day—and not just with private files. Massive companies such as Amazon, Microsoft, Google, and others are migrating from earthbound data centers into cloud systems, too.
In other words, a lot of private data is going into a public space. If the last two blogs have taught you nothing else, it should be that this trend is like catnip for cybercriminals.
NOTHING TO HIDE
One of my friends is fond of saying, “Unless you called the police, don’t talk to the police.” He happens to be a thirty-year veteran police commissioner who probably knows what he’s talking about.
Why is this relevant here? Because the idea that “I haven’t done anything wrong, so I don’t need to worry about being hacked” is about as naive as the thought that “maybe if I explain to the officer that those drugs weren’t mine, he’ll let me go.”
So, why should you lock down your Facebook profile when all you post is pictures of your cat? Because that open-blog page is easily hijacked. The next thing you know, Mrs. Whiskerson is wanted by Interpol for money laundering.
Or a hacker using your name and email is asking all of your friends for a $100 USD loan. Guard your social media and other online accounts as carefully as you would other information.
FROM RUSSIA, WITH SPAM
So assuming that the Russians, in some form or another, hacked the 2016 election in the United States, how did they do it? The size and complexity of the scheme are still being discovered, but here’s one piece of it.
Democratic candidate Hilary Clinton’s campaign website was likely attacked by a Russian-linked criminal group using a targeted spearphishing barrage designed to look like it came from the Clinton campaign.
The campaign’s email system was breached, and those emails went out to her supporters. A whole lot of people who received those bogus emails clicked on them without a second thought.
Each click got the hackers more access and information until they were able to access the campaign runners’ accounts. The breach damaged the Clinton campaign multiple times before election day.
THE TRUTH IS OUT THERE
As an increasing amount of our data is stored online, and our everyday lives unfurl in public, personal privacy and reputation come under threat in a number of new ways.
And that means you need to update your strategies for staying safe. In earlier blogs, we’ve talked about broad-spectrum operations that seek to steal as much data as possible in the hopes that something will prove useful.
In character attacks, the intention is often more personal and targeted, with the goal of damaging a specific person or group’s reputation. These antisocial urges are nothing new, but technology makes it much easier to act on them. Back in the old days, people sought movie stars’ racy photos through bribery or theft, but that was time-consuming and expensive.
And starting a nasty rumor? Sure, you could gossip, but how far would those lies really go? Today’s troublemakers have more tools at their disposal that work anonymously—but you can still protect yourself and fight back. First, let’s look at how they find your secrets.
UP IN THE CLOUD
What we call “the cloud” is really just a bunch of computers sitting in data centers around the world talking to each other through global networks.
These days, folks at a new start-up are likely to spend less time thinking about how many servers they need and more on how many cloud-computing resources they can use instead.
The cloud provider takes care of all the hardware, software, security, and physical assets through these data centers, and it also assumes much of the risk of owning lots of technology.
By relying on such infrastructure giants as Microsoft Azure, Citrix, Oracle, Google, and others to provide the basic infrastructure, as well as tens of thousands of companies to handle all the details, that new business can start up faster and focus on what it does best, as opposed to managing expensive, space-hungry server farms. Sounds awesome, right?
As more and more companies go completely cloud-based, new vulnerabilities arise. While cloud providers are very careful about protecting their own resources from being hacked and destroyed, they are less able to influence what happens once data shifts into areas controlled by their customers.
So, for example, it would be extremely difficult to successfully attack Amazon and gain control of its servers. But once that data has been dispatched to, say, an individual user’s Dropbox account, it gets a lot easier.
We don’t believe for one second that Netflix, or Amazon Video, or Gmail, or Dropbox are inherently insecure. But they rely on users, and users make mistakes. In fact, most hacks begin when someone makes a mistake.
Picture a real-life delivery system: No matter how well the U.S. Postal Service protects your deliveries, once the mail is in your mailbox, it’s your responsibility. If it gets stolen, you can’t blame the letter carrier.
Remember: Even though John Podesta’s weak password may have played a role in the spearphishing attack on the Clinton campaign’s official email, the attack would never have succeeded without a whole bunch of people absentmindedly clicking on an unfamiliar link.
This blog talks about how to avoid those mistakes, what can happen if you don’t, and how to clean up any resulting mess.
What we loosely refer to as the cloud is an ever-evolving collection of hardware and software—the servers that make up the infrastructure and the platforms and applications that let end-users access it.
I used to think the internet was fun: posting updates about my life on Facebook, creating a LinkedIn profile to network professionally, tweeting random thoughts, and taking pictures of the world around me to put on Instagram—nothing prolific, just little things.
Friends gave me advice about how online profiles could help my career in the future in which people would read about me online instead of talking to me in person. I trusted that the internet was a safe place to be.
Wow, how wrong I was!
I was thirty-seven years old when someone began to harass and cyberstalk me online. It began with false reports about me personally and professionally over numerous sites, from Twitter to Google+.
The stalker created fake profiles of me on escort sites, harassed me on social media, and threatened me over the phone. Once, I was even sent a used condom in the mail, along with a note.
Then the cyberstalker raised the stakes and began to attack my friends, my family, and my company. When I didn’t comply with the demands made of me, my tormentor posted bogus rip-off reports and reviews of the company I worked so hard to build. Every part of my life was targeted.
Until this began, I had never really understood the power of the internet or given very much thought on how I could navigate it safely.
As the cyberstalking intensified, as more information about me was posted in more places, I felt increasingly alone and that the rest of the world doubted me before even meeting me.
I would walk into business meetings and be asked right away about intimate things no one would mention in the company of their own children, but because it was online, it was considered fair game.
People believe what they read online. Despite my efforts to set the record straight, I ended up losing contracts and ultimately my job. I couldn’t trust anyone around me. I was under attack on all fronts. Some even exploited the situation to pressure me for money, blaming me for the impact my stalker had on their lives.
“FOR THEM, IT WAS A SICK GAME; FOR ME, IT WAS REALITY.”
Two years of relentless psychological terrorism left me feeling hopeless, helpless, and powerless. I had been completely violated.
I had nowhere to turn since all of my attempts to involve the FBI and local police were met with the same answer: “We don’t have the resources to help with a situation that doesn’t involve murder.”
All I wanted was the answer to a simple question: “Why me?” Why would a stranger have so much hatred and feel the need to destroy a hardworking woman?
My now-husband and I had just started dating, and so it seemed likely that the attacks started out as an attempt by some unknown person to break us up.
Instead, it forged us in the fire. We were both broken to our cores, but we found our true love. We were married in the middle of this merciless attack, and now I have a teammate who is at my side until the end.
Two years on, the attacks still continue. I was advised that if I keep a low profile the attacker would eventually lose interest, but so far that has not been the case. So this year, I decided that I’d had enough. I decided to create a blog outlining all that had happened to me and the tools I found useful.
I am making sure my voice is heard. There are very few places to turn, and many are scams that cannot help you. My personal blog, Stalker Exposed, explores in-depth the harsh realities of what can happen when someone wants to hurt you online. It is meant to serve as a reminder to everyone to take action and be safe online. —Amanda Nickerson
Amanda Nickerson believes that the best protection online is to have a good password and two-factor authentication on every site you can. As a proactive measure, bolster your legitimate online presence and keep it up to date.
This is huge: The less there is online about you, the easier it is for trolls and stalkers to make your life difficult. Laws lag far behind the modern tech, and many of the companies that host mean and outright made-up content on blogs don’t even respond to complaints or demands. You’ll end up having to hire lawyers to do takedowns.
Spend your energy on genuine and meaningful content about what you truly do instead of sinking time into fighting lies. Google rewards solid content with better rankings. It takes time, but your peace of mind and career will benefit from a concerted effort to curate a solid body of online content about yourself and your interests.
You might not be able to stop someone from spreading fake stories about you, but you can make the harasser less likely to be taken seriously or even seen in search results.
Every month, check again to see what pops up. If your first check reveals nothing unusual, this exercise is just a formality. If, however, you discover that someone is trying to make you look bad, step up efforts to generate accurate content. Over time, the real you should rise in the rankings, while illegitimate sites fall away.
WATCH OUT FOR TROLLS
Unfortunately, there’s no shortage of women on the internet who still have to face random and sometimes extremely vicious harassment for little or no discernible reason or cause.
While we fervently hope that in a few years our admonitions will seem as quaint and antiquated as a warning about spotting a dishonest footman, right now we’d be remiss not to touch on this unsavory topic.
Women working in traditionally male-centric fields, such as gaming or technology, probably face the largest amount of abuse, but trolls can sometimes fixate on the strangest of things.
One freelance journalist was testing blogging tools in order to set up a site; she posted a single goofy article on why she loves broccoli before abandoning the blog. Yet even this one article somehow touched a nerve: An unhinged stalker found that single post and made her life hell for more than a year.
He made rape and death threats (the standard currency of the sexist troll), PhotoShopped her head onto pornographic images and mailed them to her employers and family, and even showed up outside her apartment to intimidate her in person.
The threats never rose to a level that could get law enforcement involved, and it took her years to undo the damage. She still writes under a pseudonym and is very cautious about using any social media. Sound like a one-in-a-million crazy story?
WHY THEY DO IT, Popular writer, Lindy West was plagued by a troll who got under her skin by creating a Twitter account in the persona of her recently deceased father to pepper her with insults and threats in his name.
She wrote a fascinating piece about how painful this was—and unexpectedly got an email from the man behind the account.
The resulting conversation (which you can hear on the popular podcast This American Life) was both illuminating and ultimately frustrating. He said that when he started harassing her, he was filled with self-loathing and was infuriated that she, a self-described fat woman, could be happy and successful.
Why did this inspire him to torment and harass her? He had no good answer. It just seemed like the thing to do.
DON’T BE DISCOURAGED
So, what’s the takeaway for the average reader? Despite all of the above, the odds of this kind of random, sustained harassment are low.
And, counterintuitively, while raising your profile may attract trolls, it will also give the kind of robust, impressive online presence that makes it more difficult for them to harm you. If you are harassed, report and block as necessary, and don’t let them scare you away.
Modern commerce means doing business with all kinds of people you’ve never met but whom you still need to be able to trust. That’s where online reputation comes in.
Just as you have a reputation in your community, your school, your family, and with your friends, you also have one online that is based on your browsing history and activities.
The concept of online reputation was pioneered by the auction site eBay. As a global marketplace connecting buyers and sellers, the company had to offer tools to assure users that the strangers they are buying from are trustworthy.
If you use eBay, your reputation is based on whether you communicate well, pay on time, and send what was ordered… or whether you tend to stiff buyers or raise hell over trivial matters. On Uber, your ratings are those assigned to you by drivers after each ride. Airbnb users rate your home online, and you, in turn, rate their performance as guests.
Right now, reputation is not transferrable—eBay users don’t have access to your Amazon rankings, and Uber drivers can’t see what Lyft thinks of you—but that might well change in the future as the concept develops.
EYES AND EARS
In a 2016 photograph depicting Facebook CEO Mark Zuckerberg sitting at a desk, security folks noted that there was a piece of masking tape over the camera of his laptop.
To those who wonder whether Zuck was being a little paranoid, he wasn’t. In fact, a closer examination showed that he had also disabled the microphone.
It was back in 2007 when I saw the first demonstration of a remote hack that stealthily turned on a user’s camera and microphone, made a video, and sent it someplace, all without alerting the user. And technology has really advanced since then.
To be safe, cover web-enabled cameras and microphones with masking or duct tape until you want to use them. This is what security nerds call a positive security model—that is, “deny by default, and allow by exception.”
SNATCHING SECRETS FROM THE AIR
Hackers love Wi-Fi because these networks form one of the weakest points in an average user’s online activity. And once they’ve breached your Wi-Fi, they can do a lot more than download Netflix on your bandwidth.
A hacker can track and hijack the data you send and receive and use your connection to commit any number of crimes that could then be traced back to you.
I’ve been on cases where the police literally kicked down a door, guns at the ready, to bust a major child pornography operation… only to find a very scared and confused older couple whose system had been hijacked.
In that case, they were lucky the responding officers knew enough about cybercrime to suss out the situation. Not everyone is so lucky. Read on to learn some of the most common risks you face when going online wirelessly and how to defeat them.
At Home Loads of home, networks are completely unsecured, which means they don’t require a password for access. This exposes everything you transmit over that Wi-Fi connection to potential interception, and if that sounds like spy stuff, it shouldn’t.
You can learn how to harvest this bounty of information, if you are so inclined, with free software and instructional YouTube videos.
Some networks are password protected, but the typical home user usually retains the default password that came with their wireless router.
If this describes you, you may not be shocked to learn that there are entire websites dedicated to cataloging the default passwords for nearly every router ever made. Secure your home network with a strong password and change it often to increase security.
In Public, Hackers love coffee shops and hotel lobbies. Harried travelers and groggy commuters constantly use free public Wi-Fi connections with no thought for safety.
If the networks are unsecured, they can be “sniffed” just like your home network. If they are secured, hackers may set up a second network that isn’t with a deceptive name.
For example, search for Wi-Fi on your phone the next time you’re sitting in the lobby of a large hotel. You may well see a long list—some of them belonging to nearby residences or businesses.
They may even be cleverly named to be listed alphabetically above the real network and therefore easy to select. Always ask for the name of the business’s official network, and if you have the choice of a password-protected option, take it. It might even be worth paying a modest usage fee for enhanced security.
SURE SIGNS YOU’VE has BEEN HACKED
Despite your best efforts at keeping your network locked down, there’s always a chance that a black-hat hacker has broken into it. Luckily, there are plenty of ways to tell if that’s happened.
Here’s a list of potential symptoms to diagnose a compromised network. (There are plenty of other possibilities out there, too; if something just doesn’t feel right about your network, dig deeper and you might find something as the result of a hack.)
Missed Connections If your network is running slowly during an apparent quiet time, it could be the result of someone else using your bandwidth. Too many connections from too many users can clog a network, especially a smaller one. Check and see who’s logged on, and make sure the devices belong to people you know and trust.
A Lack of Control Are you unable to log on to the network? That may indicate that the login or password has been changed; a sure sign someone else has gotten in and locked you out. Be sure you change your network’s default password at the very least.
Taking a Drive If your machine’s hard drive is running slower than usual, and you notice the activity light flashing a lot more than it should, look into the situation a little further: Your antivirus software could be running a scan —or someone could have broken in and used malware to scan your disk looking for interesting data to steal.
Shields Down Is your antivirus software disabled even though you swear it was set to start every time your machine boots up? Or even though you swear you just restarted it five minutes ago? A malware infection can often disable antivirus software.
Unexpected Wares Your browser window didn’t have that toolbar the last time you used it. And those pop-up windows weren’t authorized either. What program just started during bootup? You didn’t set that up, did you? Check to see if any extra software has been installed that you didn’t put in yourself. Chances are it’s the result of a hack.
No Shutdown The system won’t shut down when you tell it to? You could be prevented from doing so by a hacker who wants to stay on the system. (But you can always pull the plug.)
WI-FI HACKING IS SO EASY, A KID CAN DO IT
TRUE You don’t have to be trained in information technology work, or even be an adult, to know how to break into someone else’s system. All you really need is a computer with internet capability and a surprisingly short amount of time.
This was aptly proven during an ethical hacking demo in London in 2015 when seven-year-old Betsy Davies was shown a free YouTube video tutorial on how to fake a public Wi-Fi hotspot, then used it to get access to volunteers’ computers—and in no more than eleven minutes.
In short, anyone could be a hacker—even a kid on a laptop in a nearby library or coffee shop. And a skilled hacker with the means and the intent can do a lot more damage than a curious kid.
THE PROBLEM OF OVERSHARING
Lots of parents think their kids share too much info online, and they’re right;
But while adults may be less likely to suffer physical harm, bullying, or ridicule than their offspring, they’re often just as guilty of sharing too much with their friends on social media—and the personal, financial, and career consequences can be significant. Consider just a few cases of grown-ups not practicing what they (hopefully) preach.
Watch Me Fly The CEO of a major gaming company spoke publicly about battling a series of hacks from an adversary called Lizard Squad. Sometime later, he posted online about a trip he was about to take.
The hackers identified the specific flight he would be on and forced it to divert by tweeting a bomb threat to the airline. If the executive hadn’t provided sufficient data for the hackers to figure out his travel details, his business trip wouldn’t have been disrupted.
Expensive Tweets Michael Dell, the tech executive, pays millions of dollars a year for security to protect his family from potential kidnappers and other dangers.
Finding that his teenage daughter had tweeted links to photos of a family trip, with details on where they’d be for the next few weeks, was probably a little frustrating. As evidenced by the swift disappearance of her Twitter account.
Feeling Indiscreet The Israeli army was forced to cancel a military operation after one of the soldiers taking part in it posted the location and date of their planned attack on Facebook.
BUGS IN THE HUMAN HARDWARE
Security consultant and former hacker Kevin Mitnick have said that it’s often far easier to talk someone into giving you their password than to try to break into a system yourself. That’s where social engineering comes into the picture.
While not necessarily a con in and of itself, social engineering can be part of a con scheme.
Either way, it involves manipulating a person into giving up sensitive information or performing actions that allow the “engineer” to acquire the information: an account login, email, password, credit card, or other sensitive material.
Remember that most businesses do not ask clients for their personal information, and most social engineering attempts are never even made in person. It comes down to trust… so, do you trust who’s emailing you or calling you?
Set all social media privacy settings as high as possible.
Password-protect home Wi-Fi and encrypt with WPA2—never WEP.
Don’t accept friend requests from strangers you have not met personally.
Only use the internet in incognito mode.
Google yourself regularly and check what’s said.
Never use public Wi-Fi without a VPN.
Restrict what you share on social media.
Keep nothing unencrypted in the cloud.
Cover all computer webcams and microphones with electrical tape.
Change usernames frequently.
IS IT SAFE?
Cloud storage gives us the promise that we can safely securely store any data we wish, and retrieve it at will thereafter— especially useful for small business owners.
But the cloud is still ultimately a series of storage drives as part of a server in a location far away from your own—which means that any data stored there is likewise at a distance.
If you lose connection with that cloud storage, or if the server goes down due to a hack or power outage, or if your account is compromised, you also lose access to all that data you’ve stored.
Basic data files, like simple documents, are mostly safe. But think twice about storing anything sensitive in the cloud, such as personal identification info, tax documents, or intimate photos and videos. Only store something if you’re comfortable risking losing access to it or having it published somewhere online.
KEEP KIDS SAFE ONLINE
Ask parents the fastest way to make their kid’s eyes roll is and they’ll tell you it’s making the kid watch Mom or Dad interacting with technology.
The generation of parents who grew up without smartphones, iPads, or the internet lack credibility with their children when trying to warn them about online dangers. If Mom can’t figure out iMessage, how could she possibly know anything about internet safety?
This matters, because there are real dangers out there that your kids will almost certainly be exposed to—from online predators to annoying viruses that can destroy your data or encrypt your photos until you pay a ransom.
Not to mention your kid clicking a video link that results in a spam gang using your router for distributed denial-of-service attacks against Walmart.
Kids born after the internet—sometimes known by us oldies as “digital natives”—grew up with this stuff and think nothing of digging into system preferences and settings we might not even know about. Which, in turn, means they can probably circumvent little inconveniences like that parental control software you installed.
The good news is that protecting a kid online has almost nothing to do with software and everything to do with straight talk.
In a New Zealand study on internet safety, researchers gave children between the ages of one and fourteen free access to a computer with unprotected internet access and told them to look for whatever they wanted online.
Those kids ended up exposing the computer they were using to a virus within their first two clicks.
No matter which topic they searched for, those two clicks likely exposed them to as many as twenty ads, most of them leading to high-risk sites offering pornography, gambling, get-rich-quick schemes, and the like.
These kinds of sites are responsible for as much as 96 percent of the malware that’s used by cybercriminals to access your machine in order to steal your information for various criminal enterprises. Learning to protect your kids and your machines go hand in hand.
The internet can create a false sense of privacy and community, with one-to-one conversations and anonymous screen names giving the illusion of private space.
Now, combine this with the natural tendency of teens everywhere to exaggerate, overshare, and test their boundaries, and you’ve got a recipe for all kinds of trouble.
CHECKING IN, CHECKING UP
In 2016, 60 percent of parents with teenagers told the Pew Research Center that they’d checked out their teens’ social media profiles and looked at the websites they visit, at least occasionally.
And a similar percentage have friended or followed their teens on social media. About half of parents look at their teenager’s phone call records or text messages and know the passwords to their kids’ phones.
Not surprising, younger parents are better at this—those under forty-five are much more likely to check up on teens and to check for the right stuff.
For example, although every parent is worried about predators, younger parents are more likely to seek evidence of kids texting with unfamiliar friends and to look at call records and text records to ensure their kids aren’t having inappropriate-sounding conversations with friends or strangers.
MONITORING YOUR TEEN
A majority of parents when having teenagers aged 13 to 17 have monitored their kids’ web use. Here’s how many do what:
All too often, teens are their own worst enemies. For example, a fair amount of “child pornography” actually originates with the teens themselves and then falls into the wrong hands. A kid may take nude selfies to share with a crush, assuming the images will stay private.
Which they don’t. The recipient might forward or share the pictures with friends, or might post the images as revenge after a breakup. And even if no one intentionally shares the pics, phones get stolen, iCloud accounts are hacked, and USB drives go missing.
The results can be tragic. Too many kids have tried suicide after such photos went public, often after vicious bullying. In some jurisdictions, teens have been prosecuted and branded for life as sex offenders for having nude photos of themselves on their phones.
Time for Real Talk This isn’t a conversation any parent or child wants to have. But you need to, and keeping it fact-based is the key. Discuss real-life stories in the news, strategizing with your kids about how they’d handle these issues.
Make it clear that many of the people hurt by online bullies or trolls didn’t do anything wrong, but they still suffered.
The specific online dangers change and evolve, but the tools kids need to combat them remain the same. A warning that stalkers may follow users on Instagram, or data on which online game has the most bullies, will date fast.
Instead, encourage critical thinking by identifying the challenges and determining ways to avoid them. And always, always make it clear that you’re there for them and will have their back.
BULLYING AND MOCKING
Encourage kids to log, but not respond to, online bullying. If the bully persists, your child should feel comfortable coming to you for support. You should report it to school or police authorities.
Remind your kids that any private chat they have or image they share could go public. If they wouldn’t want it posted on Facebook or mailed to Grandma, tell them to think twice before they hit “send.”
PROFILING AND GROOMING
If a new online friend suddenly starts commenting on your kid’s Instagram, liking their Facebook posts, and retweeting them, be wary.
This is often a precursor to asking for sexy pictures or more. Whether it’s a cool-seeming stranger or a friend from school, teach your children to be careful.
Secure Your Network Your first step is to establish control of your Domain Name Servers (DNS). The DNS is the basic lookup tool used by everything on the internet to map a name to an IP address (which is a series of numbers, such as 188.8.131.52).
We recommend setting your routers and devices to map to a DNS security site such as OpenDNS, which offers some basic free services that can help you control the sites your kids can visit, as well as premium options that allow for more customization. Your router may provide other parental control features as well, so check the specs online.
Secure Your Computers Remember, you’re not protecting the computer from your kids. You’re protecting your kids from danger. (Okay, fine, you’re also protecting the computer from your kids.)
Either way, you should password-protect your BIOS on Windows and Linux machines, or your firmware on a Mac, to prevent loading into bootable operating systems.
If this sounds like gibberish, don’t worry. Google the key terms and you’ll find helpful step-by-step instructions (as well as helpful instructions for your kids on how to confound you—read those too!).
Give your kids nonadministrative and highly locked-down user accounts so that they cannot install software or make changes without your approval. And, of course, choose a strong, almost-impossible-to-guess password.
Secure Your Kids This is the most likely point of failure. Remember, even if you successfully keep your children from accessing any “adult” sites, they can still be cyberbullied or stalked online by predators who know how to “groom” kids by empathizing with how mean and controlling their parents are. So, honesty is the best policy.
These conversations should be age appropriate but specific: “There are bad people out there, and even though it feels as if you’re anonymous on the internet, you’re not.” The point is not to scare them but rather to make them understand that the threats are real—and this isn’t just you being overprotective.
MASTER OF YOUR DOMAIN
You’d like to be able to trust that your kids are staying safe while using the internet, but just in case you need to keep an eye on them, there are ways.
A home-based domain system (with its own URL) allows you to link multiple computers together and access information on a shared network while bypassing your internet service provider to save on time and bandwidth.
This whole mini-network can be protected from outside access with a firewall—and, properly configured, can also keep a log of any traffic going out to the internet, such as your kids’ browsing history.
The logs can record the time and date of the access, which device on the network it was done with, and the proper HTTP address and domain name, so you know where and when they’re doing their browsing and with which mobile device or computer on your network.
Plenty of companies offer services and software to build a home DNS, and there is no shortage of tutorials online that detail how to create your own.
When looking for parental-control software for your household, you’ll find a range of options. Here are features we think are most important.
Be Inclusive Cover all platforms—Windows, Mac, iOS, and Android.
Set a Curfew Look for the ability to set times when the internet won’t be available to the kids.
Stay in Control Look for remote management, monitoring, and control through a mobile app.
Know Now Set real-time alerts to text or email you if anyone tries to access a blocked site or search certain keywords.
Get Social Get your kid’s social media logins and install software that alerts you to words or phrases and/or sends you random screen-grabs. Promise your kid you won’t abuse your access, and keep that promise faithfully.
When we use the word “surveillance,” it’s enough to make some parents cringe. Is that kind of thing really necessary? It sounds so… Orwellian.
And what about letting kids make their own mistakes? Well, that’s a nice idea when it comes to riding a bicycle or playing ice hockey, but on the internet, it’s possible to make mistakes that come at a serious cost.
Kids have literally had their lives ruined as a result of something that started as harmless (to the kid) pranks. This isn’t us being overly dramatic. Teens who send nude photos can end up on a sexual predator registry for life, which greatly restricts the jobs they can have, where they can live, and more.
3–4 INTERNET GUIDELINES
Install positive security controls (which allow you to spell out what to access; everything else is off limits).
Activate Google Safe Search.
Allow downloaded and single-player online educational games only.
WHAT TO WATCH FOR
Anything you didn’t load yourself.
Practice shared online time.
Utilize kid-safe search engines.
WHAT TO WATCH FOR
Read all emails.
Read chat content.
Be sure you recognize all chat partners.
Make sure nothing’s getting through the Safe Search settings.
Introduce kids to the idea of cyberbullying, and discuss how to protect against mean kids online.
Be sure to explain why oversharing is bad while keeping the discussion age appropriate.
Limit online time.
Set an audit trail through software or a router.
Limit social media.
Check social media interactions on all devices.
WHAT TO WATCH FOR
Check your server and DNS logs regularly for inappropriate content or activity.
Start talking about basic operational security (what not to reveal online, how to tell if someone might be a bad person, and so on).
Do more consistent social media monitoring.
Set up Google keyword search alerts.
WHAT TO WATCH FOR
Porn, gambling, meme, or image-sharing sites (which can have inappropriate content).
Pop-ups and adware.
Third-party toolbars and helpers.
Time to have that awkward talk about adult content!
Keep talking about online security measures in more complex terms.
Monitor in-app purchases, set limits as necessary.
Monitor mobile hot spots.
Check on chat software; make sure you know every app your teen is using.
WHAT TO WATCH FOR
Watch for “sneaking” of computer access. Check time logged on versus how much you actually see your kid using the computer.
Begin conversations about family responsibility, such as protecting the house from theft.
Make sure your kid knows how to spot online predators.
Start talking about college applications and what your kid’s social media profile conveys to those schools.
Check texts and IMs occasionally for inappropriate images or messages.
By now, you should have established a respectful, trusting relationship. Good job! But don’t slack off until that kid is actually an adult.
WHAT TO WATCH FOR
Dual-boot or bootable OS sessions.
Check browsing history: Your router or ISP may have DNS logs that differ from your browser’s history (which can be scrubbed).
Keep the conversations going; be sure to praise good behavior.
Review your teen’s online footprint together; play the part of a college admissions officer or potential employer.
Do occasional Google searches of your kid’s name.
One cruel trick played by predators is charming underage kids into sending racy pictures of themselves or into undressing on a Skype call.
Predators then use these images to blackmail the teen, asking for money or more-explicit photos and performances, threatening to send the original images to the kid’s parents, school, or contacts list.
Reading this blog puts you ahead of less-informed parents. Still, even smart, internet-savvy adults fall for online scams, and some creeps are frighteningly good at sweet-talking their way into a kid’s confidences.
Do your best to protect and inform your kids, and let them know that they can come to you if they get in trouble. Many kids are more scared of parents’ anger or disappointment that they are of the blackmailer, and the results can be heartbreaking.
In a recent study, researchers found that 78 percent of high school students had watched porn, beginning around the age of fourteen.
That means that even if your kid hasn’t looked for X-rated content on the internet, their friends may well be sharing jokes and memes about adult topics, often with no idea what they really mean.
I’m not here to give you parenting advice, but I will share my story. As a cybercop, I probably realized what my son was looking at more quickly than the average parent. In the pages that follow, I’ll talk about how we handled the tech aspects. That’s the easy part.
As a father, I realized that I couldn’t stop my kid from exploring the internet’s back alleys, but I didn’t want him to get some wrong ideas. And that led to a very awkward talk in which, while he fidgeted and blushed, I told him that I wasn’t going to police his viewing.
But I did want to be sure he knew to look at those images as movies, not real life. I told him that the performers are actors, and the scenes tell you as much about how real couples act as Star Wars does about the space program.
I warned him that he might see stuff that is scary or gross, posted for shock value and that I wouldn’t get angry or disgusted if he wanted to ask me questions about things he saw.
Time will tell, but I hope and trust I’ve done my part to raise a boy who knows the difference between X-rated fantasies and real human relationships.
AN HONEST APPROACH
Kids will watch or download things you don’t approve of. This is just a reality. Every parent has a different threshold for what that might be, and that needs to be the beginning of a family discussion.
It’s important to realize that while most warnings focus on porn, particularly the more disturbing images a kid might stumble upon, it’s not the only inappropriate stuff out there.
Spend a few hours in some of the least savory corners of Reddit or 4chan, and you’ll realize how hard it is to shield a child from the darker side of humanity. The solution, as we keep reiterating, is to have those honest conversations… and back them up with technological solutions.
DAD, IT’S BROKEN AGAIN
I already discussed how I used my son’s teenage surfing as a way to have a parenting moment. Every situation is different, but I think it always makes sense to explain to your kids why you don’t want them looking at certain sites. Otherwise, you’re just mean old dad or mom never letting them have any fun.
Start out by talking about how criminals attract us with sexy pictures, promises of free games or movies, get-rich-quick schemes, and more. The more a link begs you to click on it, the less likely it is that it will deliver on its promise. So, point one, the cake is a lie.
Explain to your kids that they shouldn’t download that pirated expansion pack—not because stealing is wrong (although you can remind them that it is) but because that freebie is almost certainly infected with all kinds of computer-destroying malware.
My son managed to completely trash his computer more than once before it occurred to me to make him a deal:
I would not only restore his machine (again!), I would back off on monitoring him (a little) if he installed VirtualBox on his computer and configured it to spin up a virtual instance of Windows that he could use as a one-time computer.
Then he could watch whatever he wanted… but if we got one more virus, he’d lose computer privileges for six months.
It took him three days to figure out VirtualBox, and we’ve been virus-free ever since.
Remember what we said earlier about the infecting your computer in as little as two clicks?
Sometimes the software that gets downloaded to your computer doesn’t just damage it or use it for someone else’s purposes but actually hijacks your PC, locking you out or encrypting your files until you pay for a “software removal tool” or give in to outright extortion.
Some “warnings” you might see on your screen are normally meant to trick you into accepting the ransomware. If you see such a pop-up message, immediately close the window or reboot to stop it from taking over. In a neat new twist, hackers have started ransoming other web-enabled devices, such as smart TVs.
If it happens to you, try a hard restart to factory settings and, if that fails, contact the manufacturer. Some are claiming that this only happens if you download pirated materials, but the jury is still out.
HIDING BEHIND THE NET
When my mother asked me to look over an email she’d gotten from her internet pen pal, I routed it immediately to my internal Raised Eyebrows Department.
Don’t get me wrong, I’m not saying Mom isn’t a catch, but the way she described the burgeoning romance was enough to make me suspicious. She met the guy through a dating site and began to chat, then flirt, then send emails. And after a little while, he professed his love for her.
Grooming Behaviors The general pattern here is the same, whether people are targeting kids or adults and whether they’re seeking sex or money. What’s referred to as “grooming” is all about finding common ground with a likely target, gaining the person’s trust, and then going in for the kill.
With Mom’s sweetie, all I had to do was select a particularly poetic-sounding sentence, cut and paste it into a Google search, and bingo. There was the same message from the same guy, in thousands of posts.
Rule One If an offer sounds too good to be true, I can pretty much guarantee that it absolutely is. If someone online promises your kids exactly what they want, teach them to be careful.
They should ask, “Who does this person claim to be? Can this person prove it?” If the stranger is legit, this should not be difficult. Otherwise, instruct your teens to keep their antennas up.
Warning Signs Anyone who asks your child for photos right away is suspect. As is a new person who always seems to know when your kid logs in to certain applications.
Or if the stranger mentions having money trouble. Or if your child suddenly starts getting sexy pictures via email or text or Instagram—or any other way.
Remember rule one. With your teen, try Googling a selection of text from the suspect emails—lots of these scammers work off of scripts and use the same emails over and over.
Finally, if your teen asks to meet up and the person has a convoluted story about how they travel on business all the time, you can be certain that your kid is dealing with a fraud.
Con men use the internet’s cloak of anonymity to steal money and maybe a heart or two. But online anonymity can mask an even more destructive face —that of the bully.
STAND UP TO CYBER BULLIES
Bullying can be more serious than almost any other online offense. And all too often, victims are told, “Just ignore them.” That was bad advice in the 1950s when the bullies were waiting to beat you up after school, and it’s even worse advice when the bullying can come from multiple sources, online and off.
Kids commit suicide every year because of bullying, and even adults have their lives turned upside down.
If you or your children are targeted, contact authorities and do not accept no for an answer. Unfortunately, the internet can be rife with packs of bullies.
Here’s how to apply the lessons of this blog to help keep your family safe from cyberbullies, online predators, and pesky malware.
Monitor all social media accounts your child uses.
Talk to kids about what’s safe to share.
Restrict and lock down your home network.
Log traffic and use software to track network activity.
Restrict social media sharing.
Install GPS tracking apps on kids’ phones.
Lockdown all social media accounts to private.
Use spyware to track all online activity.
Use a private LAN for kids’ computers and aggressively blacklist sites and categories at the router.
CYBER-BULLYING IS KIDS’ STUFF
FALSE Cyberstalking, cyberbullying, and online smear campaigns are a growing and increasingly destructive form of abuse.
It affects young and old, male and female, and even the famous: Jennifer Garner, Ellen Page, Ciara, 50 Cent, and a long list of other celebrities, have been cyberbullied and stalked or had private photos stolen and circulated.
Comedian Leslie Jones took a break from Twitter after unrelenting racist and sexist abuse that began when she appeared in the remake of Ghostbusters. Social media sites have taken steps to stem the tide, but the most important step is to realize that anyone can be a victim.
If a creepy dude is following you, you can duck into a safe space to escape. But online spies aren’t immediately visible, so how do you ditch them? If you want to minimize instances of being tracked online, use an ad blocker such as Adblock Plus and site tracking browser plug-ins such as Ghostery.
But beware, some sites will intentionally offer less functionality or ban your browsing outright if you use an ad blocker.
If you are concerned about Facebook using your personal data (or any apps that you have given access to your Facebook data), remove Facebook Messenger from your smartphone, and use a secure messaging system such as Signal, Wickr, or SMS. And if you want to stay truly stealthy, you can always use Tor.
NOT JUST PHONING IT IN
The era of pocket-sized computers predicted since the 1950s began in earnest in 2007 with the release of the first iPhone. Today, people all over the planet carry with them at all times a device capable of accessing the internet, the Global Positioning System, and hundreds of millions of nearby devices.
We’ve passed the point of inflection: More people these days view websites with their mobile phone than on desktop or laptop computers.
We entrust to our phones more data than we traditionally stored on our home computers. Our phones know exactly where we are and where we’ve been, and can tell exactly where we’re going.
They know how much we have in our bank account and what we’ve bought on Amazon; they can open our front doors and start our cars; they know how much dirt is on our floors and whether our smoke alarm batteries are charged. They can transmit and receive voice and text communications between us and anyone else in the world.
They know, increasingly, whether we need to buy a quart of milk or how many people read that story we posted on Facebook. Golly, that’s a lot of data about us. Say, these phones are secure, right?
Well, not really. In fact… if you’re not very careful, your phone can cause you some serious problems.
You may have seen one futuristic thriller or another, wherein the bad guys use some clever or disgusting method to breach security using a victim’s thumbprint. But as it turns out, you don’t need to be a supervillain or a high-tech professional to be a cyberthief.
In 2016, the Wall Street Journal reported the story of a six-year-old who used her sleeping mother’s thumbprint to unlock the mom’s phone. She then went on to order $250 USD worth of
Pokémon toys from Amazon. When her parents received thirteen different order confirmations they assumed their account had been hacked—until their daughter proudly announced that she’d been shopping just like Mommy.
Parents of precocious children might want to rethink their password strategies, wear gloves while napping, or just make sure their smartphones are kept safely out of reach.
BASIC PHONE SETTINGS
So, you’ve just gotten a new phone! Congratulations. As you set it up, you should keep some things in mind in order to make security a basic part of the way you operate your phone from the beginning, as opposed to trying to patch it up later.
Lock It Down First, enable your phone’s “Lock SIM Card” option, which will require a password to access your SIM card every time that the phone is rebooted. This is in addition to your phone’s screen lock. The SIM lock secures the network access card, while the screen lock protects the phone itself.
Secure Your Screen Next, enable your phone’s screen lock to keep snoops, busybodies, and evildoers from going through your stuff. If you can use a password or passphrase (instead of a PIN), do it. If you use a PIN, make it six numbers or longer.
Set the lock timer low enough to ensure that it automatically secures itself when you leave it in a restaurant or in a taxi, but long enough to avoid entering your passcode every three seconds—two minutes should be a good degree of compromise.
Don’t Get Fingered Plenty of smartphone models offer fingerprint detection as a quick way of unlocking and accessing your phone, but despite its convenience, you should deactivate that setting completely and rely on PINs and passwords for your privacy and protection.
Stay Cryptic Deactivate location settings unless you specifically need them. Often you’ll end up needing to turn location on for specific apps when you need it—say to get driving directions—but it’s worth the (relatively minimal) trouble.
Use Only What You Need You should also turn off your phone’s Wi-Fi, tethering, hot spot, Bluetooth, and near-field communication settings. All of these are useful, but you should only activate them as you need them rather than simply leaving them on by default.
Block Out Finally, consider blocking your phone’s caller ID to maintain maximum privacy. The people you call will see you on their end as “Unknown” or “Private Caller” and as a result, some of them will no doubt ignore your calls.
This is a borderline “Advanced” or even “Tin Foil Hat Brigade” level of security, for those who really want to go stealth. You’re going to be leaving a lot of voicemails since most “private callers” are debt collectors, scammers, doctors’ offices, and cops.
WHAT’S IN YOUR SMARTPHONE?
A wise man may have once claimed, “You are not the contents of your wallet,” but that was before smartphones came along. Your wallet probably has a few pictures, some cash, and a range of cards: identification, insurance, debt, and credit.
All of these are meaningful and should be replaced if your wallet is lost or stolen, but it doesn’t compare at all to what your smartphone can contain:
Hundreds of photographs and videos, hundreds or even thousands of emails, open apps with personal info such as banking, passwords to every online account you have, as well as continuous access to any and all further sensitive information sent to those accounts.
In short, you are the contents of your phone to anyone who steals or breaks into it. Keep it even closer to you and more secure than your wallet.
YOUR PHONE IS NOT A WALLET… EXCEPT WHEN IT IS Your mobile phone is not inherently unsafe, but you will need to understand the relative risk that a given app presents and compare that to the reward you get by using it. When you think about using a new app, consider the following: What do I get, and what does it cost me, really?
It’s the same as giving your personal information to supermarkets in exchange for a frequent shopper card. You enjoy savings, but the store maintains a complete dossier on what you buy—and don’t.
They know the days you go shopping and the amount they can count on you to spend, and they have a good idea about how to increase that amount. That data is theirs to do with as they please, and they often sell it to the highest bidder.
Banking on You When your bank asks you to try its new app, they obviously want you to use it because it teaches them more about you. What’s the risk? The bank will always pay back your losses if the app gets breached. If you find it convenient to deposit checks from your phone or transfer money, that’s a great deal.
But you need to understand what you are giving them and the cost of the worst-case scenario. Is Google Wallet or Apple Pay as convenient as Google and Apple make it sound? It depends on your circumstances—if you live in a big city, sure; out in the country? Probably not.
What Do You Need? Do you have a nine-year-old who uses your phone for multiplayer online gaming, or is this a business phone with a few key applications and a good password? Everyone’s needs are different, and one man’s convenience is another man’s big shiny target.
Give some serious thought to what you want to get from your apps and how you use your devices. For example, use a different mobile device for sensitive apps like banking, and only use the device for that—this gives you much of the convenience but with less risk.
THIS LITTLE PIGGY WENT ONLINE
In the past couple of years, the number of people who bank using their phones has outpaced the number who bank in person.
You probably have a pretty good grasp of your phone’s basic features, but it may still be able to surprise you with what it can do—and how it can affect your data safety. Here are some possible security risks you might want to check out.
You often need Wi-Fi to cut down on mobile data use, but Android phones use Wi-Fi to more exactly locate you. By sensing the relative strength of available Wi-Fi hotspots, they can triangulate your position much more closely than with GPS alone.
THE FBI VS. APPLE
Public debate over law enforcement access to phones came to a head after the FBI sought, under the All Writs Act, to force vendors to provide cops with a “backdoor” to encrypted iPhones.
The case arose after the FBI sought possible evidence on the iPhone used by a mass shooter in San Bernardino who attacked a government office in December of 2015.
The FBI sought to force Apple to break the strong encryption of that device. Apple refused, arguing that a backdoor was the same as a master key for cops. The police argued that Apple was creating a safe space for criminals.
Finally, the FBI bought a tool from hackers to break the protection on the iPhone and get the data they sought. The argument is not yet over; both sides are still waiting for a great test case, ultimately to be settled by the United States Supreme Court.
SELLING YOUR SMARTPHONE’S SOUL
Some apps are notable for doing a lot more than you were expecting when you downloaded an installed them. A now-famous smartphone flashlight, for example, is the poster child for this kind of unwelcome surprise.
The Brightest Flashlight app, estimated by the Federal Trade Commission to have been downloaded tens of millions of times, stole identifying data, location, calendar information, camera, and microphone access, email, and network surveillance—essentially giving your whole phone to the app.
The app makers were then selling all this information to advertisers. The lesson? If you decide to install an external app, examine the permissions that it asks for. Use apps that only ask for permissions related to their tasks. If an app is suspect, ask questions, or look for one that uses fewer permissions.
If a phone is detected, the owner is in huge trouble. This is because of the fact that as phones get better, they offer really neat spy tools that many people forget they have handy at all times.
Utilize Electronic Eavesdropping Want to record a meeting? There’s an app for that. Leave your phone on the table, with its screen turned off, and you can covertly get a high-fidelity stereo recording of what’s being said.
There are also free or low-cost apps that record all incoming an outbound calls, spoof your number to whatever you want it to be, detect mobile networks and cellular signals, and do several other cool tricks as well.
Keep Track of a Subject Would you like to spy on someone else’s phone? If you have access to it (and flexible morals) you can easily download and install apps that can track, say, your significant other or your kids.
If you have no morals whatsoever, you can place spyware on the phone of a co-worker or your employer, for a little industrial espionage.
Of course, this works both ways: Your employer can place spyware on your phone and probably be within the law in several states, so long as he or she owns the phone.
Spyware can allow you to, for example, remotely activate the microphone on a phone and listen in on the conversation or access the GPS to both track location and set up a geo-fence, which will send you a text message when your quarry leaves a designated area.
Steal Secrets If you’ve set up spyware on someone else’s phone (or someone has done it to your phone instead), you can also peek in on social media accounts, snatch the very keys they type with a keylogger, crack passwords, and access other wonderful features.
You have a robust piece of covert surveillance gear that used to require a boxy suit and a mustache to twirl—or at the very least, nation-state funding.
Don’t Just Make Calls We as users continue to get it wrong, seeing smartphones as “phones” and not “computers.” They are decidedly the latter, and they’re capable of doing all the things a computer can do—we should never to forget that.
A number of apps can help you feel more secure, whether you fear for your civil liberties or your wallet. It’s definitely a good idea to check out the iTunes or Google Play Store regularly to learn about new applications—just use the keywords “safety,” “spyware,” and the like.
Read the reviews online to learn about possible vulnerabilities and to find the best functionality for your needs, and always check the permissions when installing an app.
Safe Personal Safety This, and similar apps can identify people in your network to help you stay safe, travel in groups, and get help.
Other Safety and Privacy Apps Many personal-safety apps are also available, both from cities (such as the BART safety app for riders of the San Francisco Bay Area transit system) as well as private concerns (such as the ICE—In Case of Emergency—app)
THE NATION-STATE THREAT
No discussion of surveillance and mobile phones would be complete without a mention of Edward Snowden, who in 2013 stole a large number of files classified by the U.S. government as Secret, Top Secret, or higher.
Regardless of whether you think he is a hero or traitor, he opened our eyes to the technical capabilities of well-funded actors, such as organized criminal gangs and nation-states.
In 2016, Snowden spoke on HBO about the issue, demonstrating how to remove components from a smartphone to remain completely safe (you can see this on YouTube).
In VICE’s documentary State of Surveillance, with Edward Snowden and Shane Smith, Snowden described why exactly you would want to remove the microphones and the cameras from your phone (note the plural tense of those components) and demonstrated just how to do it.
“Every part of private life today is on your phone,” said Snowden. “They used to say that a man’s home was his castle. Now, his phone is his castle.”
Listening In Snowden was interested in IMSI-catchers, devices that, essentially, impersonate cell towers and intercept cell phones.
Here’s where we must warn that Snowden’s understanding of how police use IMSI-catchers is absolutely flawed—use by U.S. police of IMSI-catchers is dramatically less common than Mr. Snowden believes.
But he is correct in his assertion of the capability and ease of acquisition of an IMSI-catcher by police or private individuals for getting hold of the phone data you are sending. The solution is to follow security protocols appropriate for your risk profile, and follow them religiously.
Risk Assessment If you are an activist or protester or someone who takes on activists or protesters, you should consider the likelihood of attacks against your electronic life to be rather high.
If you’re a soccer mom, you should consider the likelihood of a targeted attack rather low—that doesn’t mean that you don’t face mobile threats, such as malware, spyware, and the like. It just tells you how to set your expectations of privacy and therefore your security posture.
Staying Safe The Electronic Frontier Foundation (EFF) provides a very good starting place for this exercise in an article on its website titled “An Introduction to Threat Modeling.”
To give you an idea of how this works, we authors use encryption for our email and hard drives, and, wherever possible, we use encrypted voice and text through the application Signal.
The EFF recommends Signal specifically because of the strength of its cryptographic implementation, its ease of use, and its “zero-knowledge” model—even if Signal itself is hacked, it cannot turn over any of your messages because it cannot read them. That’s a powerful feature.
Finally, as we keep reminding you, encrypt your phone, and use a strong password to protect its contents—do not use a fingerprint. The reason for that is that U.S. courts have ruled it legal for police to use your fingerprints to unencrypt something, but it is currently not legal for the police to force you to turn over your password.
Highlights include call interception, SMS interception (including WhatsApp and other popular “secure” SMS applications), SMS tracking, password cracking, a digital recorder that can be set remotely not to ring/vibrate or light up, etc., etc.
“Another one is mSpy, which can track call logs, GPS location, and metadata about how the person is living his or her life—from calendar updates and text messages to email and web history. It, too, works with both Android and iOS.
“The best bug in the world is right there in your pocket… and adversaries know that your phone is never more than six feet away, and you always have it with you and turned on.”
Use a good password—never your fingerprint. A good password is more than six characters or numbers, or a good pattern.
Encrypt your phone.
Use a phone-locator app in case it is stolen.
Limit the number of days of email that can download to the phone.
Use a VPN for browsing in public.
Use 2FA for all apps that you possibly can.
Limit location services and Wi-Fi use.
Ensure limited metadata is saved with images.
All of the above—and remove the cameras and microphones from your smartphone.
Use encrypted DNS (will only fix Wi-Fi).
Regularly reflash your phone to factory settings.
Limit data usage.
The story of the internet is about more than laptops and cell phones and smart cars. It’s also about the people behind those devices, and the things they desire—wealth, power, connection, influence, and more. With just a few clicks of a mouse, we’re able to shop online, look for dates, educate ourselves.
On the other hand, there is no shortage of people employing the same connectivity to scam others, take their money, damage their businesses, destroy their confidence, break their hearts, and cause plenty of other intangible forms of damage—and they don’t necessarily act on their own.
Online anonymity is afforded to the larcenous and the amorous alike, and if an internet mob gets going, they can do just as much harm as any rioting mass of people in the public square.