I never expected to be the target of porn blackmail
Earlier this week, while checking my spam folder in search of a wayward email, one message caught my eye. The subject heading was one of my own login names and its matching password. Clicking it open, I discovered a long, impudent email in messy English telling me that the author had installed keylogging software on my computer when I (supposedly) visited a porn site. The writer claimed to have activated the camera on my computer to record me visiting the site, as blackmail evidence. And they also claimed to have full access to my computer.
If I sent $3,000 in bitcoin to an account, the person would destroy the video. If not, the person would mail it to all my contacts, gathered by the malware from my email, phone and social media contacts. If I wanted them to prove this wasn’t a bluff, they would send the video to a random 11 contacts (why 11? But then, I suppose, in hacker world, why not?).
I had a day to make the payment to prevent this humiliating Armageddon.
I knew the specific threat was disconnected from reality, because I hadn’t visited a porn site since working on a story for the Guardian in 1998 on how the porn industry tended to be the earliest adopter of new technologies. (It was a challenging, but fascinating story to do, and a syndicated fragment of the much longer article remains online.)Back then, there were no cameras on PCs unless you attached your own, so I knew there weren’t 20-year-old videos drifting around.
I checked with a friend and expert on computer security, who reassured me that the email had been doing the rounds for a while and to disregard it as a bluff.
But it’s a particularly devious and probably lucrative bluff because, like it or not, pornography is popular online: one in eight Americans regularly visits such sites. People also tend to use the same logins and passwords at multiple sites. So that email threat must terrorise a certain number of people into believing every word of it.
Even though I knew the porn threat was false, the letter worried me. They had one login and password combination. Did they have others? Was there hidden malware on my laptop? Did they have access to my work and home email accounts, my credit card numbers, my social media? Was I going to have to methodically go through and change passwords on dozens of sites, cancel credit cards, and disinfect my laptop? Had the purported malware sent itself to all my contacts, infecting hundreds of others?
Because that’s how hacks work. My information was probably part of multiple tranches from hacked servers and networks, sold on the dark web. Anyone could have it now. But most likely, this particular blackmailer is simply using a purchased list of email addresses, matched to logins and passwords, to generate a standard email in which the relevant subject detail is paired to its matching email address.
This is just one devious way in which hacked data can be put to unexpected purposes that transcend how many of us think about, and may be affected by, hacks and data breaches. In this case, it’s pure social manipulation: the hacker isn’t on your PC at all, and doesn’t have the information or evidence they claim, but you don’t know that. For many people the threat will ring true, and a payment will be made.
This isn’t a cautionary tale warning against reusing passwords or visiting porn sites, or failing to tape over the camera on your internet-accessing devices. Nor is it an amusing anecdote.
It’s a reminder that once your data is breached – even just a small amount, like a single login and password – it leaves you vulnerable in ways you might never imagine. I certainly never expected to be the target of porn blackmail. That the threat to me was meaningless because I couldn’t be blackmailed over something that didn’t happen, didn’t help assuage the wider worry that the person might also have full access to other information.
This – exactly this – is why strong consumer protections and laws that require timely disclosure of data breaches are crucial. It’s why the Facebook-Cambridge Analytica scandal must shock, or this week, the disclosure that Google knew for months that personal data could be exposed through a software glitch on its Google+ social media platform yet didn’t report it, a concern Data Protection Commissioner Helen Dixon is examining.
It’s why the General Data Protection Regulation, with its mandatory breach disclosure requirements and its meaningful fines (if used), is so important. And why the EU and US must be able to prove the viability of transatlantic data transfer agreement Privacy Shield – pertinent to transfers that involve some of our most sensitive data, moved about by some 4,000 companies – when it has its second annual review in coming weeks.
It’s just one devious way in which hacked data can be put to unexpected purposes