Over the span of two years, Wood stole a total of $US57,000 from his neighbours in New Castle, England, to feed his nasty gambling habit. Was he some sort of masterful Facebook hacker? A Spam King in thief form? No, he was just a guy who ran a carpet-fitting business and happened to be good at uncovering information.
Wood spent 18 hours a day collecting personal details about his neighbours in conversation, through Facebook and Friends Reunited, and by stealing mail. He would subsequently sign onto the online bank accounts of his victims, claim he couldn’t remember the password, then correctly answer questions related to mothers’ maiden names and birthdays. To get cash, Wood changed the address of his victims’ accounts and withdrew money with the replacement cards he received in the mail. He finally got caught after transferring $US2500 directly to his own account.
All pretty horrible and heartless on Wood’s part. But the worst thing about his crime is how any guy like him — a slimy neighbour with nothing better to do but search for your info all day — can access your data. Does this mean we shouldn’t friend our neighbours on Facebook? What if they make us cookies? What if the cookies are delicious?
Being suspicious and secretive with our acquaintances probably won’t help too much. It’s the system that needs a change. The average generic security question — where you went to high school, your favourite movie — isn’t hard to answer. In fact, it’s probably sitting on your Facebook for everyone to see. We can’t continue allowing simple passwords and easy security questions to be the only barriers between our bank accounts and potential thieves. We need a new way to prove our identities online. Because no one should be able to access your bank account that easily. Especially not some jerk who’s looking for a quick way to score some cash.
[The Telegraph via ZDNet]
Stephen
Tuesday, August 16, 2011 at 2:45 PMThumbprints or retinal scans. Seriously, the hardware cost is fairly low, and it could be used fairly ubiquitously.
Personally, I’d prefer the retinal scan as it’s a lot more difficult for a crook to cut my eye out and use it for nefarious purposes.
Ogre
Tuesday, August 16, 2011 at 2:54 PMThey wouldn’t have to cut your eye out. They would just need a way to intercept the data that your computer sends every time you scan your retina (actually retina scans aren’t so good, laser light on your retina can’t be good for your eyesight, which is why we now have iris scans), and then they just have to send the same data when they try to log into your account.
When this happens, how do you intend to change your “password”?
Parker
Tuesday, August 16, 2011 at 3:10 PM+1
Parker
Tuesday, August 16, 2011 at 3:12 PMI also reckon we should have all our card information (credit/library/loyalty etc) attached to that retina scan.
No more wallet full of cards to fumble around with/lose, just scan your eyeball and choose the account you want to use.
Thorbjørn
Tuesday, August 16, 2011 at 2:55 PMIn Denmark we have an extra security system for pretty much everything. It’s a universal system that’s used to access State sites like payment of student support, sorting taxes etc. but it’s also used to access your banks.
It’s basically a physical piece of paper with 4-digit and 6-digit numbers. Every time you want to access one of the above mentioned things, you have to put in your social security number as an ID, and enter your password. Then the system gives you a 4-digit number and you have to enter the 6-digit number next to it. Each number can only be used once, so when you’re running low on secret codes on your card, you have to request to get a new card.
While this seems fairly safe and actually works really well, it is quite annoying to have to carry around this piece of paper with numbers on it.
Ben Zemm
Tuesday, August 16, 2011 at 4:29 PMThat would be some simple authentication too! If the system gave you a number that has been used before or not on your list you know you are not on a legitimate site!
GG
Tuesday, August 16, 2011 at 3:12 PMIn some parts of Europe they simply use something called digipass to get into your bankaccount. with the latest vs you stick your bankcard in the reader and it gives you a code. that code together with your password gives you access to your account. if you want to transfer money you need to get another code from the device. it’s fairly safe and without the device you can’t access the bankaccount.
(works in combination with chips on your bankcard which seems to be a problem for some banks here is oz.)
EckyThump
Tuesday, August 16, 2011 at 3:16 PM“If Facebook fraudster Iain Wood has taught us anything, it’s to distrust thy neighbour”
I think it’s more like distrust ‘Facebook’ or it’s kin! Call me paranoid, I like my privacy! #]
InformedGamer
Tuesday, August 16, 2011 at 3:34 PMI may or may not have used this method (minus the stealing money and mail) to gain access to people’s facebook accounts for the lulz.
When their secret question is “What is my first name” or “What school did I go to”, and the answer is already on their facebook, I blame their stupidity.
Chip Usall
Tuesday, August 16, 2011 at 5:01 PMSo we need to improve security and biometric approaches have some restrictions. Why not just insert an RFID chip into every single person who needs to access ‘the grid’ (ie internet, banks, medical services, social security…) . Not only would this be secure and centralised, but those who step out of line could have their chip turned off!!!
People should learn to set secure passwords, and consider if they want to use guessable ‘i forgot my password’ questions. After all, you need not use this question if you manage your passwords (and don’t forget them). As InformedGamer points out, it is THEIR stupidity…
This article (syndicated from the Telegraph, UK) is a part of a global scare campaign on online security.
I, for one, look forward to legislation that will protect us from novices like this halfwit (Mr Wood). Please take my liberties and freedoms as long as I need not think for myself.
Will
Tuesday, August 16, 2011 at 7:42 PMThere is a simpler way, which my neighbour once used on me. He stole from my letterbox a checkbook sent by my bank, and forged cheque after cheque. No need for facebook!
Damn I was mad at my bank, first, for sending out the chequebook, and second, for not being able to do one useful thing about it. I had to open an account at another bank and put my pay in that in order to keep money.
Dinghy plans
Wednesday, August 17, 2011 at 2:28 AMDont trust anyone..simple.
Quin
Wednesday, August 17, 2011 at 9:28 AMAnyone else wonder where New Castle, England is? lol…
Sam
Wednesday, August 17, 2011 at 2:06 PMuse cash only…
WoW authenticator, gives a new code every 30 seconds
LumpyJoe
Wednesday, August 17, 2011 at 10:34 PM‘secret question’ security hasn’t been well implemented, if you are signing onto a site that requires its use you should avoid the easily answered questions.
Facebook should not be suggesting that a persons highschool attendance and immediate ancestry is enough of a secret that it can be used to positively identify a user. Suggesting a question that can only be answered with an actual secret might be a bit to tricky to implement.
What alternative secret questions would you lot suggest?