Originally published under the title “Password Unprotected” in the May 2019 Digital issue
Somewhere in the world, there’s a man named Mike, and he has no clue that I exist.
On my search for Mike, I started on the Facebook page of an old sorority sister from my Alma Mater. I scrolled a long way through her list of friends until I found someone who was not also a friend of mine. I clicked his profile. His privacy settings were fairly tight; as a non-friend, I couldn’t view any of his friends. So I took a glance at his wall, and found a comment on one of his wedding pictures. I clicked on the commenter. Then onto one of her friends. Then one of his friends, which brought me to Mike, a self-taught Indiana outdoorsman. I looked at Mike’s profile for three minutes—I timed myself—and now I know where his favorite bar is. I know what he looks like and what his mom looks like. If I felt particularly callous, I could tell you what he does for a living and his dog’s name. I could even give you his work number.
I don’t know Mike, and Mike certainly doesn’t know me. I chose Mike at random, traveling down tenuous digital connections to reach him and now, I have all kinds of information on him that a complete stranger has no right to possess. I could sell it. I could pretend I’m a long-lost friend. I could call him up, tell him that his mother has been kidnapped, and demand ransom, all without leaving my sofa. Despite Facebook’s most strict privacy settings, layers of friends, and 10,000-to-one odds, I have chosen Mike.
I’m not going to do anything with Mike’s information. I even changed most of the details I chose to share in this article in order to protect his privacy, just in case. You never know who might be reading.
The Breach
We step into the online world from the comfort of our own homes, our offices, our cars, smartphones propped dangerously against our steering wheels. It’s a library that contains all of human knowledge, much of it available for free. The power of the internet has revolutionized the way we educate our kids, and share news and knowledge across oceans. It’s given us cat videos. The system even comes with a culture of likes and follows, giving positive encouragement in exchange for public engagement. To be a successful, mainstream person in the 21st Century, is to, by and large, opt in. Terms and conditions may apply.
Multiple times, Mark Zuckerberg has claimed that privacy is dead; culturally, we don’t value it, and don’t require it. I’d posit that we still value our privacy. But we don’t know how vulnerable we are. Tech has a six-month shelf life, and we’re still learning the rules. It feels like by the time one finishes reading the novel-length terms and conditions, they’re already out of date.
Think about the way we use social media for example. We post things, largely for our intimate circles, or larger groups of, by and large, friendly followers. No one posts a picture of themselves on vacation, assuming that some scammer out there is going to buy their information and use it to trick them out of as much money as possible.
The New Yorker called our online lives a kind of “shared vulnerability.” We—from our politicians, down to the toddler begging for more time on momma’s iPad—are all vulnerable, because, just as our banks, libraries and DMVs have moved online, so has everything else. The revolution has also come to crime.
I sometimes joke that stalking is easier now than ever. But the more time I’ve spent researching it, the less humor I’ve been able to find in the situation. The problem is much more than lax privacy settings on the Instagram account you run for your dog. We have to trust our data to companies, and they can’t always keep it safe. A 2019 D CEO article on the subject cited data security as a major growing concern for CEOs, even stating that cyber intrusion is more profitable than drugs.
In addition to the information we put into the world via social media, over the years, there have been several high profile data breaches, where huge amount of personal information was stolen. A 2013-14 data breach at Yahoo that could have affected three billion users. More recently, in November 2018, Marriott International broke the news that cyber thieves had pilfered data on approximately 500 million customers. The breach had originated in 2014 with Starwood hotel brands, and remained in the system through Marriott’s acquisition of Starwood in 2016, and was only discovered in September 2018.
In May 2014, eBay reported a massive cyberattack, where hackers enjoyed inside access for 229 days, gathering names, addresses, dates of birth and encrypted passwords from the bank of 145 million users. Late 2016: Uber. Up to 57 million users and 600,000 drivers were exposed. July 2014, JP Morgan, the largest bank in the nation, with 76 million households and 7 million small businesses exposed. It goes on and on: credit and debit cards, names, numbers, addresses, social security numbers, passwords, dates of birth. It’s all out there. Hackers skim a little off the top, squirrel it away to the dark web, and make bank selling it. Once it’s out there, it can’t be retrieved.
Just hang up
“I don’t want to go outside. I just want to go home,” my friend, Robyn, was crying on the phone. It was hard to understand her.
Robyn lives in Philadelphia, and she isn’t the type to call crying. After she’d had a bad bike crash the week before, which required minor oral surgery, her mother had flown up from Arkansas to spend the weekend. On the last day of the visit, they were headed out to the grocery store. Her mother wanted to make sure she had soft foods. Mashed potatoes. Macaroni and cheese. Robyn was stuffing her keys in her pocket when she saw her father’s number come up on her mom’s phone. She answered it, and heard her father’s voice. She couldn’t hear it very well, and thought he was saying, “hello?”
But then a stranger spoke, telling them that her father was in trouble. Something was wrong. Robyn asked what was going on with a little too much force, and the man began to scream that they were beating her father, and if she hung up the phone, they would kill him. The man ordered her to go to a CVS down the street and buy as many prepaid credit cards as she could, then take the money to a certain location in Philadelphia, about three miles from her apartment.
Robyn and her mother suspected it was a lie; as the man shouted a constant stream of abuse and slurs, she passed the phone to her mother and tried to call home, then her dad’s cell phone. He didn’t pick up. She called a neighbor, then her uncle. No use. So she called the Philadelphia police.
“It’s a scam,” the operator said, annoyance flattening her voice. “It happens all the time.”
“You don’t understand me,” my friend murmured quietly, so her voice wasn’t heard on the other cell phone. One mistake and he could be dead. “I can’t reach my dad, and they’re telling us to go somewhere else.”
“Ma’am? Ma’am. Please.” The operator raised her voice, as if she was a stupid child playing a prank. “Just hang up.” The operator hung up herself.
They were on the phone for two hours, pacing the pharmacy, buying prepaid cards and maxing out the ATM while the employees watched, concerned. Meanwhile, Robyn contacted the police department in her hometown, and the small station deployed their entire unit to her parent’s house. But her dad wasn’t home. The car was gone. They had already begun working to track his phone, and to break into the house, when suddenly, his car flew up the driveway, white-faced and horrified. He was on the phone too, hearing the same story: his wife and daughter were being held for ransom.
The callers got around $800 from her mother, and $2,000 from her father. Though the police promptly helped them reverse the charges, there are some experiences that don’t come with a refund.
“We thought it could be a scam. We did—but we couldn’t gamble on his life,” Robyn told me in the aftermath. “The money is meaningless. It was the worst thing that’s ever happened to me. We aren’t stupid people. We aren’t gullible. I mean—what would you do?”
After it was over, I thought about how much work had gone into creating a convincing experience, convincing enough to fool two doctors and Robyn, who is also working on her doctorate. The calls had been coordinated to trap both of her parents both on the phone so they couldn’t reach each other. They had taken the time to call each of them once before to record their voices, to play in the background, and they had to have known her mother was in Philadelphia and her father wasn’t. They’d even known about Robyn’s minor surgery. Even if they had been targeted randomly, the attack itself had been personal.
Though virtual kidnapping is rare, according to Frisco Police Officer Grant Cottingham, it’s a rising problem. Officer Cottingham has personally responded to several panicked phone calls from people who have been threatened, told their loved one has been abducted, or thrown in jail. He says that Robyn and her parents did everything right; they tried to reach each other, and when that failed, they called the police.
“The point is fear,” he says. “All a scammer hopes for is one person who gets on the hook.”
He recalls a case he worked on behalf of a local man who was told that his mother, who lived in another city, had been abducted. He’d been on his way to a pharmacy to buy prepaid cards for her ransom before he called the police in terror. If they hadn’t arranged a welfare check on his mother, and found her safe, he would have given the caller anything they asked for.
“They will keep you on the phone, keep pumping for more money, and the moment they get that money, they disappear,” Officer Cottingham explains. “They do very little work for that ‘ransom.’” Though no one legitimate would ever ask for prepaid cards, but the calls feel legitimate. Violent threats are woven through with personal details—vacations, descriptions, locations—just enough information to make it seem real. Thirty minutes on Facebook provides plenty of fodder. Even when it seems like a scam, and it’s more likely to be a scam than a true kidnapping, when it comes to a parent, a spouse, a daughter, who’s willing to take the chance?
“Think about social media, what we release online of our own volition,” Officer Cottingham continues. “There are simple precautions you’d take to meet someone face to face, certain things in conversation that if I don’t know you, I won’t tell you. Have that same line of defense online, and trust your gut.” Then, he adds, call the police.
They had my name
On Valentine’s Day, Natalie Lindsey was sitting at her gate in Dallas/Fort Worth International Airport waiting to board a flight to Portland, Oregon for a girls’ weekend getaway. To pass the time, she scrolled through the feeds of her various social media accounts and also checked the Mint app installed on her phone that she uses to budget expenses. Mint provides users with a personalized paired-down credit report on a monthly basis and explains the reasons behind the current credit score. Typically, your credit score won’t change drastically from month to month, but Natalie noticed a sharp 10-point decline in her score. She thought it was strange but wasn’t alarmed, and resolved to look into it further when she returned from her trip.
“I just didn’t realize the magnitude of what was going on,” Natalie admits.
When she returned to Dallas a week later, Natalie discovered that there were credit inquiries on her account from Lowe’s, Macy’s, Old Navy, The Gap, and Banner Financial—none of which she had initiated. Her mailbox was stuffed with letters from various retailers regarding recent transactions that she had not made. Unsure of what exactly was happening, she turned to the internet for answers and discovered that her identity had been stolen.
This mystery person had opened new credit cards in Natalie’s name at retailers like Neiman Marcus, Macy’s, and Express, and maxed each one of them out, purchasing everything from inexpensive toddler clothes, to designer apparel like Michael Kors tops and even a Gucci handbag. They also took out a $2,000 personal loan from Banner Financial, and they purchased an iPhone XS Max for $1,500 at an Apple store located less than three miles from Natalie’s apartment.
Perhaps the most alarming part came when she received a large bill from Nordstrom—the one retailer for which she had a legitimate credit card. Someone had spent $4,000 in gift cards to the department store using the last four digits of her social security number. Nordstrom, and many other retailers, sometimes allow cardholders to make purchases without their actual plastic card as long as they can provide the social security number and the driver’s license tied to the account. Natalie realized that somewhere in Dallas, someone else was carrying a plastic driver’s license with all of her personal information.
To make matters worse, remedying this issue is not exactly an easy task. It takes an astronomical amount of time to report an identity theft to credit bureaus and various retailers. Many customer service representatives are not properly trained on how to handle identity theft, resulting in conflicting information and instructions, depending on who answers your call. The process drags out for months, as most companies have a standard 60 to 90 day turnaround for resolving a credit breach.
Natalie will never know exactly how her personal information was stolen; new technology has made it easier than ever for ill-intentioned people to nab another’s identity in mere seconds. On the dark web, stolen information of innocent bystanders is sold without so much as a trace. Besides old school methods, like dumpster diving and mail pilfering, identity thieves now use data storage devices like skimmers attached to ATMs and credit card readers that steal your information with the swipe of a card. They also use tactics like phishing and pretexting by calling or emailing and claiming to be from a legitimate company. Some elaborate scams even do some pretty deep research into the people they are targeting—Natalie discovered that the person who stole her identity was able to give a loan agency her complete work history, meaning they had likely been snooping around on her LinkedIn or other social media accounts.
“That’s when it really felt personal,” Natalie says. “They had a driver’s license with my name, they had my social security number, but they also knew my address and things about my personal and professional life.”
Natalie admits that she wasn’t exactly vigilant when it came to protecting herself against cyber crimes. Like many others, she had never seen a full credit report of hers and was not consistent about checking her credit card transactions or statements. To prevent this from happening again, Natalie’s bank recommended she put a freeze on her credit, meaning no one can make inquiries without lifting the freeze using an assigned pin.
Though she isn’t liable for any of the fraudulent transactions that were made in her name, this identity theft caused Natalie’s credit score to plummet, and it could take up to eight months for it to climb back up. She’s also keeping a watchful eye on her taxes, since whoever has her identity can file in her name and collect whatever refund she is eligible for. Mostly, though, she is left to hurry up and wait—for each retailer to complete their fraud investigation, for the police department to close her case, and for it to happen again; Natalie’s bank advised her that many identity thieves strike a second time three to five years later when the victim’s guard is down. Natalie can get a new credit card, but her social security number isn’t changing. Her information is out there, and she can never get it back.
—
Social media has increased our sense of connection and the flow of information around the world, but it’s also opened us up to everything from minor public scrutiny to gross invasion of privacy. Privacy settings and friend requests make it seem like we have control over who sees what we think and say, and we do most of our networking from the comfort of our own homes, where our guards are down. We never know who our audience is. The awful truth is that cyber crime is hard to stop, since it can be committed from anywhere in the world, and the perpetrators can vanish so quickly, it’s as if they never even existed. It’s a case where the best offence is truly a good defense.
Yet, online school has made it possible for more people to get continuing education. Information can be shared around the world in a second. An Aberdeen Group study revealed that 73 percent of 18-34 year-olds found their last job through a social network, and a nearly identical percentage (72.1 percent) of college graduates indicated that they use online profiles to showcase their experience and search for work.
As useful as digital technology is for committing crimes, it’s equally useful for solving them; the information superhighway runs both ways, after all. Cases have been made over Snapchat and Skype. Age-old cold cases have been cracked by so called “armchair detectives”, who do all of their sleuthing online.
It’s no secret that the internet is a scary place. Cyberbullying is a rising problem, and every year, it seems as if there’s a new online hoax, whether it’s 2016’s creepy clowns, Slender Man, a videogame boogie man, or the Momo Challenge—a nonexistent social media challenge that parents thought was leading kids to commit suicide. It’s just another platform where we live our lives, with all of life’s benefits and pitfalls. Safety can be as simple as locking down your privacy settings, checking gas stations for skimmers, or posting about your vacations after you’re back—if we think to do so. Maybe part of the problem is that the digital world feels like our private living rooms, shared only with us and our friends, when really, it’s more like a crowded public restaurant. You don’t know who’s around. But still, that doesn’t mean you don’t show up.
