Sunday August 19, 2012
What the hack happened?
By LISA GOH
Losing your personal particulars to hackers can lead to financial losses, heartaches, loss of reputation – and sometimes friends, too.
IT starts out so innocently. A simple vote request by an acquaintance for a competition on Facebook; one click and law student Sharlyn J. discovers she has been hacked and locked out of all her social media accounts emails, Facebook, Twitter, Skype and MSN Messenger.
“I clicked on the link and a new window popped up. It looked exactly like Facebook – the colour and the fonts – but I didn’t double check the URL. That was my mistake.
“The site required me to type in my email address and password. I was a little reluctant at first but the girl kept pleading for me to vote for her so in the end, I did. Right after that, I knew something was wrong. I got locked out of all my accounts,” says Sharlyn, 19, of the incident last May.
If that wasn’t bad enough, within the hour, she received a text message that said “Hi Sharlyn. Your full name is , your IC number is , your IP address is , you are a student at college etc.” The hacker demanded money in exchange for getting her accounts back.
Gone in a second: It’s a nightmare for anyone who has discovered that his or her personal particulars have gone into the wrong hands.
“He/she even said I’m not asking for much, just RM300. You can report to the police, but there’s no point. I can’t be tracked.’
“That person had all my personal particulars. I was really freaked out. I had just started college and was living on my own. What if he had my home address as well?”
Failing to get a response from Sharlyn, the hacker then sent another text message, offering her a discount of RM150.
“I called my mum and told her what happened. I was really scared but I ignored him. I lodged a police report and opened new accounts the next day to tell all my friends to delete the old ones,” she says.
However, even weeks on, the hacker was still assuming her identity and chatting with her friends – as she found out later. She never got any of her accounts back.
In other instances, the identity thief doesn’t come to you for money. He goes to your friends, as local film producer Wendy Wong discovered.
Early last month, Wong sent her notebook for servicing. After getting her notebook back two weeks later, her problems started. When she logged into her email account, there was a prompt saying that the account was in use.
She didn’t think much of it, but then came phone calls asking if she was all right and if she was stranded in Spain.
Her email account had been hacked. Assuming her identity, the hacker emailed all her contacts to tell them she had lost her wallet and asked them to send money so she could settle her hotel bill in Spain. The hacker asked her contacts to send her RM10,929 (2850) via Western Union to an address in Madrid.
“I was in Kuala Lumpur all the while. Good thing some of my friends called me to check before sending money over. I had friends who were already planning to transfer the money,” Wong says, adding that she was alerted of the situation by an mStar journalist who had called her to ask if she was indeed stranded in Spain.
Several attempts to change her password failed as the hacker made repeated assaults on her account. Wong has since lodged a police report and alerted the customer service of her email account provider.
“This has affected my reputation. Those who know me well would know I would never go around asking people for money. But what about those I have just met, or are just starting a business partnership with? What would they think of me?”
For that reason, Wong held a press conference early this month to clear her name and to alert all her contacts of her predicament.
“It’s not so easy for me to just get another email address as that’s where my contacts reach me. But it looks like I don’t really have much choice now,” she laments.
When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place. – Nigel Tan
Symantec Malaysia systems engineering director Nigel Tan says that when it comes to identity theft, more often than not, it’s an opportunistic crime, and it’s a two-step process.
“Someone steals your personal information, then uses that information to impersonate you to commit fraud. It’s important to understand this two-step approach, because your defences also must work on both levels,” says Tan, who is Symantec’s principal consultant for Asia South.
According to the Symantec Internet Security Threat Report for the year 2011, a total of 232 million identities were breached worldwide, and of that, 80.5% were by hackers.
In 2011, the Malaysian Communications and Multimedia Commission (MCMC) recorded a total of 199 hacking complaints, and six identity theft complaints. For this year up till Aug 9, MCMC recorded 141 hacking complaints, with no identity thefts as yet.
Under the law, hacking itself is an offence under the Computer Crimes Act 1997, says KL Bar Information Technology Committee co-chairman Foong Cheng Leong.
Section 4 of the Act, for example, finds “unauthorised access with intent to commit or facilitate commission of further offence” a crime, whereby a person convicted could be liable to a fine not exceeding RM150,000, or to imprisonment for a term not exceeding 10 years, or both.
Further offences, such as cheating, can be pursued under the Penal Code, Foong explains. Victims can also file civil suits if the perpetrator is known to them.
However, identity theft could prove to be more than a mere inconvenience for victims, in light of Section 114A of the Evidence Act 1950, as it holds the account owner responsible for any material published from his/her account, “unless the contrary is proved”.
This amendment to the Act, passed in Parliament in April this year, drew heavy objections from various quarters.
On Thursday, Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced that the Cabinet has decided to maintain it.
Hacker’s victim: Wong is worried that her reputation may have been marred by the stranger’s doings.
But what drives hackers to hack and steal another person’s identity?
Where previously the motive would have been to gain fame, Tan says more often than not these days, it’s for financial benefits. Social media sites have also not been spared.
“Hackers want to get into the social media because they want to exploit that circle of trust. When you see an email or link sent by someone you know, you’re more likely to respond,” he says.
“Never ever click on links. Open a new browser and type in the URL. If you get a phone call from a bank saying your account has some issues, and they require your personal information, hang up and call the bank directly and ask them if they really have a problem with your account,” he says. (Refer to chart for more Do’s & Don’ts.)
He also advocates using different passwords for different accounts and changing them regularly (once every 90 days is ideal). Using the two-factor identification facility (where both a password and a code sent to your mobile is needed to access an account) where available would also act as a deterrent.
“It’s important to understand how easily personal data is linked these days. Information that can be easily found on Facebook can include your place of birth, your mother’s name and other personal details. And these are usually the security questions banks use.
“Personal information flows so easily from one thread to another, and hackers are always waiting to exploit that,” he says.
And sometimes, it’s all a matter of being aware of the personal information you give out. “When a site or a person (even in legitimate circumstances) asks you for certain personal information, just stop and just ask yourself, Do they really need that information and am I comfortable in giving that information?’
Give it some consideration, and if you don’t think they do, then don’t give it. “When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place.”