I never ex­pected to be the tar­get of porn black­mail

The Irish Times - Business - - BUSINESS - Kar­lin Lilling­ton

Ear­lier this week, while check­ing my spam folder in search of a way­ward email, one mes­sage caught my eye. The sub­ject head­ing was one of my own lo­gin names and its match­ing pass­word. Click­ing it open, I dis­cov­ered a long, im­pu­dent email in messy English telling me that the au­thor had in­stalled key­log­ging soft­ware on my com­puter when I (sup­pos­edly) vis­ited a porn site. The writer claimed to have ac­ti­vated the cam­era on my com­puter to record me vis­it­ing the site, as black­mail ev­i­dence. And they also claimed to have full ac­cess to my com­puter.

If I sent $3,000 in bit­coin to an ac­count, the per­son would de­stroy the video. If not, the per­son would mail it to all my con­tacts, gath­ered by the mal­ware from my email, phone and so­cial me­dia con­tacts. If I wanted them to prove this wasn’t a bluff, they would send the video to a ran­dom 11 con­tacts (why 11? But then, I sup­pose, in hacker world, why not?).

I had a day to make the pay­ment to pre­vent this hu­mil­i­at­ing Ar­maged­don.

I knew the spe­cific threat was dis­con­nected from re­al­ity, be­cause I hadn’t vis­ited a porn site since work­ing on a story for the Guardian in 1998 on how the porn in­dus­try tended to be the ear­li­est adopter of new tech­nolo­gies. (It was a chal­leng­ing, but fas­ci­nat­ing story to do, and a syn­di­cated frag­ment of the much longer ar­ti­cle re­mains on­line.)Back then, there were no cam­eras on PCs un­less you at­tached your own, so I knew there weren’t 20-year-old videos drift­ing around.

I checked with a friend and ex­pert on com­puter se­cu­rity, who re­as­sured me that the email had been do­ing the rounds for a while and to dis­re­gard it as a bluff.

But it’s a par­tic­u­larly de­vi­ous and prob­a­bly lu­cra­tive bluff be­cause, like it or not, pornog­ra­phy is pop­u­lar on­line: one in eight Amer­i­cans reg­u­larly vis­its such sites. Peo­ple also tend to use the same lo­gins and pass­words at mul­ti­ple sites. So that email threat must ter­rorise a cer­tain num­ber of peo­ple into be­liev­ing ev­ery word of it.

Even though I knew the porn threat was false, the let­ter wor­ried me. They had one lo­gin and pass­word com­bi­na­tion. Did they have oth­ers? Was there hid­den mal­ware on my lap­top? Did they have ac­cess to my work and home email ac­counts, my credit card num­bers, my so­cial me­dia? Was I go­ing to have to me­thod­i­cally go through and change pass­words on dozens of sites, can­cel credit cards, and dis­in­fect my lap­top? Had the pur­ported mal­ware sent it­self to all my con­tacts, in­fect­ing hun­dreds of oth­ers?

Be­cause that’s how hacks work. My in­for­ma­tion was prob­a­bly part of mul­ti­ple tranches from hacked servers and net­works, sold on the dark web. Any­one could have it now. But most likely, this par­tic­u­lar black­mailer is sim­ply us­ing a pur­chased list of email ad­dresses, matched to lo­gins and pass­words, to gen­er­ate a stan­dard email in which the rel­e­vant sub­ject de­tail is paired to its match­ing email ad­dress.

This is just one de­vi­ous way in which hacked data can be put to un­ex­pected pur­poses that tran­scend how many of us think about, and may be af­fected by, hacks and data breaches. In this case, it’s pure so­cial ma­nip­u­la­tion: the hacker isn’t on your PC at all, and doesn’t have the in­for­ma­tion or ev­i­dence they claim, but you don’t know that. For many peo­ple the threat will ring true, and a pay­ment will be made.

Wider worry

This isn’t a cau­tion­ary tale warn­ing against reusing pass­words or vis­it­ing porn sites, or fail­ing to tape over the cam­era on your in­ter­net-ac­cess­ing de­vices. Nor is it an amus­ing anec­dote.

It’s a re­minder that once your data is breached – even just a small amount, like a sin­gle lo­gin and pass­word – it leaves you vul­ner­a­ble in ways you might never imag­ine. I cer­tainly never ex­pected to be the tar­get of porn black­mail. That the threat to me was mean­ing­less be­cause I couldn’t be black­mailed over some­thing that didn’t hap­pen, didn’t help as­suage the wider worry that the per­son might also have full ac­cess to other in­for­ma­tion.

This – ex­actly this – is why strong con­sumer pro­tec­tions and laws that re­quire timely dis­clo­sure of data breaches are cru­cial. It’s why the Face­book-Cam­bridge An­a­lyt­ica scan­dal must shock, or this week, the dis­clo­sure that Google knew for months that per­sonal data could be ex­posed through a soft­ware glitch on its Google+ so­cial me­dia plat­form yet didn’t re­port it, a con­cern Data Pro­tec­tion Com­mis­sioner He­len Dixon is ex­am­in­ing.

It’s why the Gen­eral Data Pro­tec­tion Reg­u­la­tion, with its manda­tory breach dis­clo­sure re­quire­ments and its mean­ing­ful fines (if used), is so im­por­tant. And why the EU and US must be able to prove the vi­a­bil­ity of transat­lantic data trans­fer agree­ment Pri­vacy Shield – per­ti­nent to trans­fers that in­volve some of our most sen­si­tive data, moved about by some 4,000 com­pa­nies – when it has its se­cond an­nual re­view in com­ing weeks.

It’s just one de­vi­ous way in which hacked data can be put to un­ex­pected pur­poses

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.