When he wasn't busy running his carpet-fitting business, Iain Wood spent up to 18 hours a day online scrutinizing his neighbor's social network profiles which he used to liberate a combined total of $57,000 from their bank accounts.
The judge who sentenced Wood to 15 months called the crime "sophisticated fraud," and "a well planned, complex clever theft." Yet Wood didn't need to be a crack hacker to engage in a two-year career of identity theft. What's more, the fact that Wood got busted because he got lazy, and then blurted out more crimes than the cops knew about, lands this guy on the rather low end of the clever scale.
Reading for comprehension is pretty much the only skill Wood required to jack the bank accounts of his neighbors — which goes to show how easily this could happen to you.
Birthdays, maiden names of mothers and other personal details readily shared on Facebook and UK social network Friends Reunited provided the golden key that allowed Wood to bypass security questions on bank account websites and pillage what he found.
Wood — who reportedly had a gambling habit that needed financing — friended the cohabitants of his apartment complex on Facebook and Friends Reunited. Equipped with the real identities Facebook and other social networks are so insistent upon, Wood tried out the names on a variety of online banking sites. When Wood got a hit, he took a ride through the "forgot your password?" links, using the info he collected from his "friends" to bypass security questions (such as "what is your mother's maiden name?).
Sticking to mostly dormant bank accounts, Wood requested a new banking card, which he then intercepted in the mail. He then used the bank cards to make cash withdrawals, even taking advantage of overdraft protection on empty accounts before anyone caught on. Then he got cocky. Or lazy. Or both. The UK Telegraph reports:
He had got away with his fraud until he dropped his guard and changed his operation by directly transferring money out of one neighbour's account directly into his own, in November 2009. When the victim was contacted over the withdrawal of £1,500, he realised he had been the victim of a fraud and the police were called. At that stage the police thought it was a one-off, but when they arrested him Wood blurted out "Have you been on to me for a while?" A subsequent search of his flat found a variety of bank account pin numbers, someone else's passport, bills and other paperwork, much of which he had taken from the post boxes of other residents in the block.
Wood, who pleaded guilty to six counts of misrepresentation, is hardly the first person to use Facebook information for nefarious purposes. Earlier this year, a 26-year-old man was charged with 13 felonies after being accused of using info on Facebook profiles to hack into computers of young women, and posting any nude photos he found on porn sites.
Any security expert will tell you we are a people largely given to ignoring (but still complaining about) our privacy settings, friending anyone on Facebook who asks, and we are notoriously unimaginative with our passwords. You can guard against not-so-clever scams that take advantage of your Facebook information by taking some simple precautions.
For starters, stop telling the truth, Sophos senior tech consultant Graham Cluley suggests:
Some websites put in their terms and conditions that you must tell it accurate information, but they have no way of verifying that you did tell the truth — so why risk it? Facebook, for instance, wants you to be honest about your real date of birth, but I imagine that's more about stopping you pretending to be a 13 year old boy than to tell if you were born on August 14th or March 3rd. Simply making your date of birth private on Facebook may not be enough — a few years ago they accidentally leaked everybody's date of birth, regardless of whether users had chosen to make it private or not.
Stop sharing your information online, and if you live in an apartment building, take extra care with your mail, Cluley urges. But banks, too, he says are not blameless: Using two-factor authentication that doesn't just rely upon you remembering the answers to a few security questions could've hampered Wood's two-year crime spree:
Yes, as individuals we need to be more careful about the information we share on social networks and the password reminder questions and answers we choose on websites. But we should also be calling on our online banks to put higher levels of protection in place to reduce the chances of fraudsters accessing our accounts.
More on the annoying way we live now:
- UK cops will find you, and they will shame you ... digitally
- Mark Zuckerberg not your security daddy
- Use your real name on Google+ or get minused fast
Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook . Also, Google+.