Fraudster jailed after pillaging Facebook accounts for personal information

Iain WoodA British man stole £35,000 (approximately US$ 55,000) from his neighbours’ bank accounts after determining their passwords via personal information they posted on Facebook.

Fortunately, there’s some advice which the rest of us (and indeed online banks) might take away from the story to make all of us more secure in future.

According to a Daily Telegraph report, 33-year-old Iain Wood, of Newcastle, befriended people living in his apartment block, and used their personal details to get past online bank security checks.

Wood would attempt to log into his victims’ bank accounts, and click the button to claim he had forgotten his password.

Using clues gleaned from Facebook and Friends Reunited, he would attempt to help answer security questions such as memorable dates, name of their first school, mother’s maiden name etc.

Wood was reported to be on his computer for 18 hours a day, hunting for personal information related to his neighbours.

The fraud was made easier because Wood targeted people living in the same block of flats as him, giving him the opportunity to intercept their mail.

Typically, Wood changed the address details of victims’ accounts and would withdraw cash with cards he received in the post.

Wood, who pleaded guilty, has now been jailed for 15 months.

As I read this story, a few thoughts rang loudly in my head.

Living in a shared building? Take care with your mail
If you’re sharing a building with many other people, and your mail is left in a communal place, there’s more opportunities for someone to snoop at your mail.

Residential mailboxes

You would have a higher level of security if your sensitive documents were sent to another safer address (your parents?) or required a signature upon delivery. Furthermore, keep an eye open for unexpected deliveries or post that never shows up.

Stop sharing personal information and stop telling the truth
Facebook bank fraudRemember to be extremely careful about what information you share about yourself on the net. It could be a useful piece of the jigsaw for an identity thief or online fraudster.

Get out of the habit of thinking that you need to answer every question on every online form truthfully – does a website really need to know your true date of birth or your mother’s maiden name? Are they going to check if you’re telling the truth or not?

If a website demands that you enter your full date of birth, for instance, then you have a choice:

You can either decide not to use the website, make up a date of birth, or trust it with your real one.

Some websites put in their terms and conditions that you must tell it accurate information, but they have no way of verifying that you did tell the truth – so why risk it? Facebook, for instance, wants you to be honest about your real date of birth, but I imagine that’s more about stopping you pretending to be a 13 year old boy than to tell if you were born on August 14th or March 3rd.

Fake Facebook date of birth

Simply making your date of birth private on Facebook may not be enough – a few years ago they accidentally leaked everybody’s date of birth, regardless of whether users had chosen to make it private or not.

So my advice is to lie about your date of birth when you can, but don’t be deceptive regarding your rough age group.

Similarly with mother’s maiden name (which is a matter of public record) why not make up the answer? For instance, say “Xena Warrior Princess”, “C3PO” or “Malcolm Muggeridge”. As long as you remember it, and no-one else can guess it – that’s all that matters.

Online banks should be doing more to secure our accounts
Fortunately, some banking sites have realised that asking such questions for account security can lead to trouble, and warn users not to enter memorable dates which are dates of birth or your wedding anniversary.

However, there are still some websites which encourage bad practices.

Two factor authenticationBut more than this, we now have many online banks requiring you to use two factor authentication if you wish to transfer money into another account.

Online banking websites which use two factor authentication don’t just rely upon you remembering the answers to a few security questions – you also have to enter a random number, spat out by a portable hardware device you slot your bank card into.

This level of security is harder for fraudsters to get around, and is probably why Iain Wood changed accounts’ mailing address instead.

But why don’t more online banks require you to use your authentication device when you first log into your account, rather than just when you try to transfer money?

Wouldn’t it better to require proper authentication that someone accessing the account is who they say they are, regardless of what they plan to do with the account access, rather than just using it when money is transferred?

Remote accessI have to use an authentication device every single time I want to log into my Sophos email remotely, and I’m sure the story is the same at many companies with external workers.

So why doesn’t my bank account also require me to authenticate who I am when I first log into my bank account?

Yes, as individuals we need to be more careful about the information we share on social networks and the password reminder questions and answers we choose on websites.

But we should also be calling on our online banks to put higher levels of protection in place to reduce the chances of fraudsters accessing our accounts.

If you’re interested in learning more about security threats and safety on Facebook, I recommend you join Sophos’s Facebook page where a community of over 100,000 people regularly discuss the topic.